b'U. S. Government Printing Office \xe2\x80\xa2 Office of Inspector General\n\nS e m i a n n ua l R e p o r t t o C o n g r e ss\n                             October 1, 2009 to March 31, 2010\n\n\n\n\n             50% Black + 100% Black\n\n\n\n\n              PMS 540 + 100% Black\n\n\n\n\n             White (version for reverse)\n\x0cThe U.S. Government                                       The Office of\nPrinting Office                                           Inspector General\n\n\nF                                                         T\n         or well over a century, the U.S. Government               he Office of Inspector General (OIG) was cre-\n         Printing Office (GPO) has fulfilled the needs             ated by the GPO Inspector General Act of\n         of the Federal Government for information                 1988\xe2\x80\x94title II of Public Law 100-504 (October\nproducts and distributing those products to the public.   18, 1988) (GPO IG Act). The GPO OIG is dedicated to\nGPO is the Federal Government\xe2\x80\x99s primary resource for      acting as an agent of positive change\xe2\x80\x94changes that\ngathering, cataloging, producing, providing, authen-      will help GPO improve its efficiency and effectiveness\nticating, and preserving published U.S. Government        as the Agency undertakes an era of unprecedented\ninformation in all its forms. GPO also produces and       transformation. Through evaluation of GPO\xe2\x80\x99s sys-\ndistributes information products and services for each    tem of internal controls, the OIG recommends poli-\nof the three branches of Government.                      cies, processes, and procedures that help prevent and\n      Under the Federal Depository Library Program,       detect fraud, waste, abuse, and mismanagement. The\nGPO distributes a wide range of Government publi-         OIG also recommends policies that promote econ-\ncations in print and online to more than 1,250 public,    omy, efficiency, and effectiveness in GPO programs\nacademic, law, and other libraries across the coun-       and operations.\ntry. In addition to distributing publications through           The OIG informs the Public Printer and Congress\nthat library system, GPO provides access to official      about problems and deficiencies as well as any posi-\nFederal Government information through public             tive developments relating to GPO\xe2\x80\x99s administration\nsales and other programs, and\xe2\x80\x94most prominently\xe2\x80\x94           and operation. To accomplish those responsibilities,\nby posting more than a quarter of a million titles        the OIG conducts audits, assessments, investigations,\nonline through GPO Access (www.gpoaccess.gov).            inspections, and other reviews.\n      Today more than half of all Federal Government\ndocuments begin as digital products and are pub-\nlished directly to the Internet. Such an evolution of\ncreating and disseminating information challenges\nGPO, but it has met those challenges by transform-\ning itself from primarily a print format entity to an\nagency ready, willing, and able to deliver from a dig-\nital platform a high volume of information to a mul-\ntitude of customers.\n      Although a transition to digital technology\nchanges the way products and services are created\nand offered, GPO strives to continually satisfy the\nrequirements of Government and accomplish its\nmission of Keeping America Informed.\n\x0ccon t en ts\n\n\n\n\nMessage from the Inspector General . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 3\nHighlights of This Semiannual Report . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 5\nOIG Management Initiatives . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 7\nPersonel Update . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 7\nCouncil of Inspectors General\nfor Integrity and Efficiency . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 8\nReview of Legislation and Regulations . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 8\n\n\nGPO Management Challenges . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 9\n\n\nOffice of Audits and Inspections . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 21\nA.\tSummary of Audit and Inspection Activity. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                                                             21\nB.\tFinancial Statement Audit. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                            21\nC.\tAudit and Inspection Reports . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                                    22\nD.\tStatus of Open Recommendations. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                                               25\n\nOffice of Investigations . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 33\nA.\tSummary of Investigative Activity. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                                            33\nB.\tTypes of Cases. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .      34\nC.\tSummary of Investigative Accomplishments. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                                                                   35\nD.\tOther Significant Activities. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                            38\n\nAppendices . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .   39\nA.\tGlossary and Acronyms. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                          39\nB.\tInspector General Act Reporting Requirements. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                                                                        42\nC.\tStatistical Reports . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .            43\n\tTable C-1: Audit Reports with Questioned and\n\tUnsupported Costs . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                   43\n\tTable C-2: Audit Reports with Recommendations\n\tThat Funds Be Put to Better Use . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                                         44\n\tTable C-3: List of Audit and Inspection Reports Issued\n\t During Reporting Period. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                            45\n\tTable C-4: Investigations Case Summary. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                                                           46\n\tTable C-5: Investigations Productivity Summary . .  .  .  .  .  .  .  .  .  .  .  .  .  .                                                                          48\n\n\n\n\n                                        S e m i a n n u a l r e p o r t t o c o n g r e ss                                                                               1\n\x0c\x0c                               M e s sag e f ro m t h e\n                               Inspector Gener al\n\n\n\n\nSecurity is always\n                        I\n                               am pleased to present this Semiannual Report to Congress, which covers the\n                               activities of the GPO Office of Inspector General for the period October 1, 2009\n  excessive until              through March 31, 2010.\n it\xe2\x80\x99s not enough.             Of particular importance during this reporting period was our work on secu-\n                        rity issues. The Office of Audits and Inspections (OAI) finalized an audit of the\n   \xe2\x80\x94 Robbie Sinclair,\n                        security of the e-Passport components supply chain. GPO is the sole producer of\n   Head of Security,\n   Country Energy,\n                        blank e-Passports to the Department of State. As further noted in the OAI section,\n    NSW Australia       the audit identified that the e-Passport supply chain security process was largely\n                        informal and GPO offices with overlapping responsibility should have been coor-\n                        dinating their work efforts rather than working autonomously.\n                              Such an informal and uncoordinated process led to, among other things,\n                        insufficient security audits of critical e-Passport suppliers, lack of contractual\n                        control over subcontractors providing critical e-Passport components, and lack of\n                        contractor security plans or security-related requirements for some suppliers. We\n                        will monitor management\xe2\x80\x99s plan to implement necessary internal controls over\n                        the supply chain to ensure the security of e-Passport production.\n                              In addition, the Office of Investigations investigated the loss of 18 laptop\n                        computers from an agency storage area. We were unable, however, to determine\n                        the disposition of these laptops due to the lack of security and inventory control\n                        over these materials. As a result, an audit is underway that will focus on security\n                        of agency property and management controls.\n                              In this report, we also update the most significant management challenges\n                        facing the Agency. We note that human capital operations and management\n                        remains a critical challenge to the Agency. We are hopeful that the ongoing reor-\n                        ganization and focus on customer-driven solutions will bring about much needed\n                        change and direction. As noted previously, commitment by GPO senior manage-\n                        ment should bring about significant operational improvement.\n                              The GPO OIG remains committed to quality, integrity, accountability, and\n                        transparency as we continue to fulfill our mission and goals. I encourage you to\n                        visit our website (www.gpo.gov/oig) and, to keep informed of OIG activities, please\n                        sign up to receive automatic email updates.\n\n\n\n                                                                           J. Anthony Ogden\n                                                                           Inspector General\n                                                                           U.S. Government Printing Office\n\n                                                 S e m i a n n u a l r e p o r t t o c o n g r e ss               3\n\x0c\x0cHi g h l i g h t s o f t h i s\nS e mi a n n ua l R e p o r t\n\n\n\n\nT\n        he Office of Audits and Inspections (OAI) issued six new audit\n        and assessment reports. Those 6 reports contained 45 recom-\n        mendations for improving GPO operations, including strength-\nening internal controls throughout the Agency. OAI issued a supply\nchain security audit of the Agency\xe2\x80\x99s e-Passport production activities.\nOAI continued to oversee the Independent Verification and Validation\n(IV&V) efforts related to implementation of the Federal Digital System\n(FDsys) and the annual audit of GPO\xe2\x80\x99s financial statement.\n     OAI\xe2\x80\x99s significant accomplishments during this reporting period\ninclude the following:\n\xe2\x80\xa2\tCompleted an audit report assessing the adequacy of GPO\xe2\x80\x99s secu-\n  rity over its e-Passport components. The audit identified that the\n  e-Passport supply chain security process was largely informal and\n  that different GPO offices with overlapping responsibility related\n  to e-Passport production or security should have been coordinat-\n  ing their work rather than working autonomously, which would\n  have ensured proper security protocols over critical e-Passport\n  component suppliers. Such an informal and uncoordinated pro-\n  cess led to insufficient security audits of critical e-Passport sup-\n  pliers, lack of contractual control over subcontractors providing\n  e-Passport components, lack of contractor security plans or secu-\n  rity-related requirements, and lack of required contract file doc-\n  umentation for some suppliers. Management concurred with our\n  recommendations, which were designed to strengthen the secu-\n  rity of the e-Passport supply chain.\n\xe2\x80\xa2\tCompleted our oversight responsibilities with respect to GPO\xe2\x80\x99s\n  annual financial statement audit for which the Agency again\n  received an unqualified opinion from the Independent Public\n  Accounting (IPA) firm of KPMG, LLP.\n\xe2\x80\xa2\tCompleted an assessment of GPO\xe2\x80\x99s compliance with the Fed-\n  eral Information Security Management Act (FISMA), finding that\n  although the Agency has made some progress in complying with\n  FISMA, additional improvements are needed.\n\xe2\x80\xa2\tCompleted an assessment of GPO\xe2\x80\x99s network vulnerability manage-\n  ment finding that the Agency implemented a robust and effective\n\n                 S e m i a n n u a l r e p o r t t o c o n g r e ss      5\n\x0c      program that identifies and circumvents common               tops. The findings of the investigation were referred\n      internal and external network threats.                       to OAI, which initiated an audit of IT&S property\n    \xe2\x80\xa2\tIssued two quarterly IV&V reports on the FDsys and           management protocols.\n       made recommendations designed to strengthen               \xe2\x80\xa2\tAs a result of a previously reported OI investigation,\n       program management, particularly technical risks            which found that GPO employees failed to provide\n       associated with risk management and configura-              truthful information during an administrative inves-\n       tion management for future FDsys releases.                  tigation conducted by GPO Human Capital Office,\n          The Office of Investigations (OI) opened 10 full         three employees retired after receiving notice of ter-\n    investigations and 26 complaints for preliminary               mination and the fourth received a 30-day suspen-\n    investigation, while closing 15 investigations and 28          sion and demotion.\n    complaints (8 of which were closed with no action). At            OI continues investigations into allegations of\n    the end of this reporting period, the OI has 33 ongoing      false statements, false claims, and/or bid collusion\n    investigations and 22 open complaints. Additionally,         by GPO print vendors. OI has the assistance of the\n    seven investigations resulted in referrals to GPO            Department of Justice Antitrust Division, which con-\n    management for potential administrative action,              tinues to evaluate the cases for possible criminal and/\n    and eight complaints were referred to GPO manage-            or civil action.\n    ment or other agencies.                                           The Office of Administration/Legal Counsel\n          Of the open complaints and investigations, 31          (OALC) provides legal advice and counsel on issues\n    involve allegations of procurement fraud, demon-             arising during audits, inspections, and investiga-\n    strating increased OI efforts in addressing procure-         tions, including opinions regarding legal accuracy\n    ment and financial fraud vulnerability within GPO.           and sufficiency of OIG reports. OALC manages\n    This heightened increase in procurement fraud cases          administrative and management issues as well as\n    is just one of the results of OI efforts to engage and       congressional and media relations and requests for\n    educate management, Print Procurement officials,             information. OALC often reviews and edits audit,\n    and other acquisitions employees.                            inspection, and investigative reports before the IG\n          Several ongoing investigations are being con-          approves.\n    ducted in coordination with the Department of                     During this reporting period, OALC accom-\n    Justice, including its Antitrust Division. As part of        plished the following:\n    the investigations, the Inspector General (IG) issued\n                                                                 \xe2\x80\xa2\tReviewed, edited, and approved 12 subpoenas.\n    12 subpoenas for documents this reporting period.\n          Among OI\xe2\x80\x99s significant accomplishments during          \xe2\x80\xa2\t Developed a Memorandum of Understanding with\n    this reporting period include:                                  GPO\xe2\x80\x99s IT&S to establish policies about access to\n                                                                    and security of OIG digital information on GPO\n    \xe2\x80\xa2\tInvestigated allegations that a GPO employee used or\n                                                                    servers.\n      attempted to use her position for personal financial\n      gain and benefit close friends. As part of this investi-   \xe2\x80\xa2\t Developed an internal administrative policy for\n      gation, OI staff worked jointly with the Department           streamlining and formalizing administrative pro-\n      of Justice Public Integrity Section, and management           cedures.\n      proposed terminating the employee.                         \xe2\x80\xa2\t Drafted an information security policy for discus-\n    \xe2\x80\xa2\tInvestigated disposition of 18 laptop/portable com-           sion to be completed and finalized during the next\n      puters identified as missing from an Information              reporting period.\n      Technology and Systems (IT&S) Division storage             \xe2\x80\xa2\t Began the internal process for an update of the\n      area at the GPO headquarters building. We reported            OIG\xe2\x80\x99s strategic plan.\n      to management that as a result of a lack of security       \xe2\x80\xa2\tProvided support to the IG in his capacity as Chair-\n      and inventory controls in IT&S, OI was unable to             man of the Legislation Committee of the Council\n      determine the final disposition of 18 missing lap-\n\n\n\n6   Off i c e o f I n s p e c t o r G e n e r a l\n\x0c  of Inspectors General on Integrity and Efficiency\n  (CIGIE).\n\xe2\x80\xa2\tReceived an award from the Council of Counsels to\n  the Inspector General (CCIG) for exemplary service\n  to the CCIG Website Working Group.\n\xe2\x80\xa2\tActed on a variety of matters as the OIG liaison to\n  the GPO General Counsel, including support with\n  GPO litigation and personnel action matters and\n  the GPO Chief of Staff\xe2\x80\x99s office.\n\n\nOIG Management Initiative s\nDuring this reporting period, senior managers began\nwork on updating the OIG 3-year strategic plan. An\noffice-wide retreat in June 2010 is planned where\nmanagers and employees will discuss the vision,\ndirection, and goals of the OIG and how to continue\nto enhance, improve, and measure the success of its\noperations. The OIG was also featured in the GPO\npublication, Typeline, which is a quarterly magazine\nissued to all GPO employees. The Typeline article dis-\ncussed the role and work of the OIG through personal\ninterviews with an investigator, Elisabeth Heller,\nand an auditor, Karl Allen. The OIG will continue to\nwork on a communications strategy for reaching as\nmany GPO employees as possible to educate them\nabout the role of the OIG, employee rights, and the\nimportance of reporting wrongdoing and cooperat-\ning with the OIG.\n\n\nPersonnel Update\nDuring this reporting period, Rebecca Sharek joined\nOAI as a supervisory auditor. Rebecca brings 15 years\nof audit experience to the OIG from the National\nAeronautics and Space Administration (NASA).\nWhile at NASA, Rebecca was a Program Manager\nin the OIG, where she supervised a variety of audits\nrelated to the Manned Spaceflight Program and\nSafety and Mission Assurance. She also worked as\nthe Audit Liaison and Business Systems Manager\nat the John F. Kennedy Space Center. Rebecca is a\nCertified Internal Auditor and graduated from\nRollins College in Florida. She has a Master\xe2\x80\x99s Degree\n                                                         Elisabeth Heller, special agent, and Karl Allen, supervisory\nin Business Administration from the University of        auditor, were featured in the GPO employee publication\nCentral Florida.                                         Typeline. Rebecca Sharek joined the OIG as a supervisory\n                                                         auditor.\n\n\n                                                         S e m i a n n u a l r e p o r t t o c o n g r e ss             7\n\x0c    Council of Inspectors Gener al                            2009, that IGs designate a Whistleblower Protec-\n    for Integrit y and Efficiency                             tion Ombudsman within their offices.\n    On October 14, 2008, the Inspector General Reform             Legislative branch IGs continued to meet\n    Act of 2008, Public Law 110-409, established the        quarterly in response to a Senate Appropriations\n    CIGIE. The CIGIE addresses integrity, economy,          Committee request that the IGs throughout the leg-\n    and effectiveness issues that transcend individ-        islative branch communicate, cooperate, and coor-\n    ual Government agencies and helps increase pro-         dinate with one another on an informal basis. The\n    fessionalism and the effectiveness of personnel by      meetings continue to improve communications and\n    developing policies, standards, and approaches aid-     contact between the legislative branch IGs. During\n    ing in establishing a well-trained and highly skilled   this reporting period, the Inspector General for the\n    workforce in OIGs. The GPO OIG\xe2\x80\x94along with other         U.S. Capitol Police hosted the meeting. Some issues\n    Legislative Branch OIGs\xe2\x80\x94is a member of CIGIE.           discussed and under ongoing consideration include:\n         The role of the CIGIE includes identifying,        \xe2\x80\xa2\t Shared training opportunities for legislative\n    reviewing, and discussing areas of weakness and            branch OIG personnel.\n    vulnerability in Federal programs and operations for    \xe2\x80\xa2\tCross-cutting legislative branch audits and inspec-\n    fraud, waste, and abuse, and develop plans for coor-      tions to include concerns regarding agency protec-\n    dinated Government-wide activities that address           tion of personally identifiable information (PII).\n    those problems and promote economy and efficiency\n                                                            \xe2\x80\xa2\t Joint efforts to improve environmental conditions\n    in Federal programs and operations.\n                                                               and reduce costs.\n         In May 2009, the IG at GPO was elected to serve\n    a 2-year term as Chairman of the CIGIE Legislation      \xe2\x80\xa2\t Development of consistent OIG privacy protection\n    Committee. The Legislation Committee provides to           policies.\n    the IG community helpful and timely information         \xe2\x80\xa2\tOngoing discussions regarding legislative issues\n    about congressional initiatives. The Committee also       affecting the legislative branch OIG offices.\n    solicits the IG community\xe2\x80\x99s views and concerns in\n    response to congressional initiatives and requests,\n    and presents views and recommendations to con-          Re view of Legisl ation\n                                                            and Regul ations\n    gressional entities and the Office of Management\n    and Budget (OMB).                                       The OIG, in fulfilling its obligations under the IG Act,\n         On behalf of the CIGIE Legislation Committee,      reviews existing and proposed legislation and regu-\n    the IG wrote letters and engaged in communications      lations relating to programs and operations at GPO.\n    with several congressional committees on various        It then makes recommendations in each semiannual\n    legislative matters affecting the IG community, most    report on the impact of legislation or regulations on\n    significantly to:                                       the economy and efficiency of programs and opera-\n    \xe2\x80\xa2\tExpress support for IG subpoena authority that        tions administered or financed by GPO. In an effort to\n      includes attendance and testimony of non-Federal      assist the Agency in achieving its goals, we continue\n      agency witnesses to aid audits and investigations     to play an active role in that area.\n      that may be hampered by lack of cooperation of              Although there were no legislative proposals\n      private contractors, grantees, former employees,      relating to GPO programs and operations, the OIG\n      and other third parties.                              reviewed and provided comments on a proposed\n                                                            Directive to protect PII.\n    \xe2\x80\xa2\tConvey the results of a CIGIE survey conducted to\n      assess the sense of the IG community regarding\n      a requirement under Senate Bill 372 (S-372), the\n      Whistleblower Protection Enhancement Act of\n\n\n\n\n8   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cg p o m a nag e m e n t\nch allenges\n\n\n\n\nI\n     n each Semiannual Report to Congress, the OIG identifies for\n     management a list of issues most likely to hamper the Agency\xe2\x80\x99s\n     efforts if not addressed with elevated levels of attention and\nresources. In this report, we have refreshed the list of management\nchallenges that we believe are critical for the Agency to address.\n\n1. Human Capital Operations and Management. The issues facing\nHuman Capital (HC) operations and management at GPO were iden-\ntified as a significant management challenge for several OIG semian-\nnual reporting periods. HC operations are at the heart of effectively\naccomplishing an agency\xe2\x80\x99s mission. In essence, HC provides the ser-\nvices necessary to acquire the most precious and important source of\nproductivity\xe2\x80\x94its employees.\n     Indeed, writing about the challenges of human capital, J.\nChristopher Mihm recently noted that \xe2\x80\x9c[d]riven by long-term fiscal\nconstraints, changing demographics, evolving governance models,\nand other factors, the federal government is facing new and more\ncomplex challenges in the twenty-first century and federal agencies\n\n\n                      GPO\xe2\x80\x99s Top 10\n                 Management Challenges\n\n\n  \t      1.\t    Human Capital Operations and Management.\n  \t      2.\t    Information Technology Management and Security.\n  \t      3. \t   Security and Intelligent Documents.\n  \t      4. \t   Internal Controls.\n  \t      5. \t   Protection of Sensitive Information.\n  \t      6. \t   Acquisitions and Print Procurement.\n  \t      7. \t   Financial Management and Performance.\n  \t      8.\t    Continuity of Operations.\n  \t      9. \t   Strategic Vision and Customer Service.\n  \t     10. \t   Sustainable Environmental Stewardship.\n\n\n\n\n                  S e m i a n n u a l r e p o r t t o c o n g r e ss    9\n\x0c     must transform their organizations to meet these            and effectiveness in administering HC and human\n     challenges. Strategic human capital management              resources management programs and systems.\n     must be the centerpiece of any serious change in                 Among the significant findings of the OPM evalu-\n     management strategy.\xe2\x80\x9d1 In today\xe2\x80\x99s environment,              ation were that GPO (1) did not finalize its long-term\n     successful HC operations are \xe2\x80\x9cresults-oriented, cus-        strategic goals and objectives, (2) did not conduct a\n     tomer-focused, and collaborative.\xe2\x80\x9d2                         workforce analysis identifying its mission-critical\n          The Government Accountability Office (GAO)             occupations and competencies, (3) had no indication\n     has identified four critical areas related to Strategic     that the existing HC function had the capacity and\n     HC Management the OIG believes are relevant                 data structure needed to partner strategically with\n     to GPO:                                                     managers to conduct workforce analysis and plan-\n     \xe2\x80\xa2\t Leadership. Top leadership must provide com-             ning, and (4) did not assess its organizational, occu-\n        mitted and inspired attention needed to address          pational, and individual needs or evaluate the train-\n        human capital transformation issues.                     ing offered to determine how well it meets short- and\n                                                                 long-range program needs. While management did\n     \xe2\x80\xa2\t Strategic Human Capital Planning. HC planning\n                                                                 not fully agree with the OPM findings, the Agency did\n        efforts must be fully integrated with mission and\n                                                                 indicate that it has either planned or initiated actions\n        critical program goals.\n                                                                 addressing the recommendations. We encourage\n     \xe2\x80\xa2\t Acquiring, Developing, and Recruiting Talent. Agen-      management to undertake and complete all actions\n        cies need to augment strategies to recruit, hire,        necessary to address these recommendations.\n        develop, and retain talent.                                   We also believe that the Agency faces chal-\n     \xe2\x80\xa2\t Results-oriented Organizational Cultures. Organi-        lenges in acquiring, developing, and retaining a\n        zational cultures must promote high performance          diverse, qualified workforce with the right skill sets\n        and accountability, empower and include employ-          for meeting both the Agency\xe2\x80\x99s needs today and in\n        ees in setting and accomplishing programmatic            the future. In September 2008, we completed a con-\n        goals, and develop and maintain inclusive and            gressionally requested audit of GPO\xe2\x80\x99s diversity pro-\n        diverse workforces reflective of all segments of         grams, particularly those related to establishing a\n        society.3                                                more diverse population in senior leadership posi-\n           Based on our own experience as clients of HC, a       tions. The audit revealed that while GPO volun-\n     recent investigation of a HC employee and the results       tarily adopted several components for establishing\n     of recent internal and external HC reviews, we are          a model Federal Government diversity program,\n     concerned that management has not placed enough             improvements could be made toward enhanc-\n     emphasis on addressing these four areas to trans-           ing diversity of the Agency\xe2\x80\x99s corps of senior-level\n     form HC operations and management. First, we noted          employees. We recommended in the report that the\n     previously that the Office of Personnel Management          Public Printer adopt all or a combination of the lead-\n     (OPM) completed an HC Management Review of GPO              ing practices that the GAO recommends for estab-\n     in late 2008. The objectives of the review were to deter-   lishing a model Federal Government program. GPO\n     mine whether GPO adhered to merit systems princi-           management agreed with our recommendations.\n     ples as well as complied with applicable laws and reg-           As of this reporting period, however, we are not\n     ulations. OPM also assessed the Agency\xe2\x80\x99s efficiency         able to close the recommendations in the report and\n                                                                 urge that GPO management, once again, provide a\n     1\n      \xe2\x80\x82 \xe2\x80\x9cHuman Capital: Federal workforce challenges in the      comprehensive plan for addressing implementation\n     Twenty-first Century,\xe2\x80\x9d in Hannah S. Sistare, Myra Howze     of the recommendations. In addition, as previously\n     Shiplett and Terry F. Buss, eds., Innovations in Human      noted, although the Agency has begun training man-\n     Resource Management: Getting the Public\xe2\x80\x99s Work Done in\n     the 21st Century (New York: M.E. Sharpe, Inc., 2009), 13.   agement on \xe2\x80\x9cEEO and Discriminatory Harassment,\xe2\x80\x9d\n     2\n      \xe2\x80\x82Id. at 19.                                                comprehensive diversity training for managers and\n     3\n      \xe2\x80\x82GAO Report GAO-09-632T, http://www.gao.gov/new.           employees at GPO is still needed.\n     items/d09632t.pdf.\n\n\n\n10   Off i c e o f I n s p e c t o r G e n e r a l\n\x0c      We are also concerned that HC operations are          the Agency\xe2\x80\x99s IT resources is critical. Acquisition,\nhampered by a broken culture. As a result, in part, of      implementation, and sustainment of engineer-\nissues the OIG raised regarding processing new OIG          ing issues associated with the IT&S Business Unit,\nemployees since August of 2008, management tasked its       including security issues, pose new management\nOrganizational Architects (OAs) with conducting an HC       challenges.\noperations review. Among other things, the focus was             Noteworthy challenges for IT&S include estab-\nto assess HC operations and procedures for processing       lishing a top-level Enterprise Architecture and sup-\nnew employees as well as within-grade increases. OA         port for several significant initiatives, including FDsys,\nfound that more than 50 percent of personnel processed      the e-Passport system, digital publication authenti-\nthrough HC at GPO in Fiscal Year (FY) 2009 experienced      cation using a Public Key Infrastructure (PKI), infor-\nerrors. The review noted a lack of ownership, respon-       mation system management, implementation of the\nsibility, and accountability for those errors as signifi-   GPO\xe2\x80\x99s Business Information System (GBIS) (an Oracle\ncant problems. The review also noted a lack of means        solution), and implementation of electronic human\nfor measuring accuracy and performance incentives           resources systems.\nfocusing on speed rather than accuracy. According to              Legac y systems increasing ly in h ibit t he\nthe review, the culture in HC allows for \xe2\x80\x9cblaming, finger   Agency\xe2\x80\x99s ability to respond to customer needs and\npointing and ultimately mistakes,\xe2\x80\x9d which has resulted       must be replaced. To create a plan that will help mit-\nin \xe2\x80\x9cextremely\xe2\x80\x9d low HC employee morale.                      igate risks for aging legacy systems, IT&S initiated\n      In response to the OA review, management is           an analysis of legacy applications and their impact\nworking closely with OPM to restructure HC oper-            on business operations. IT&S recently completed\nations. For HC to successfully transform to a high-         a 5-year strategy for improving the level of system\nperforming business unit, the restructuring must            support, and has begun executing the plan. The\nnot, however, be simply a re-shuffling of the chairs        strategy they developed should guide the Agency\nbut actually produce a change in the HC culture to          through implementation of new systems and retire-\nachieve \xe2\x80\x9cresults-oriented, customer-focused, and            ment of legacy systems. FDsys, human resource\ncollaborative\xe2\x80\x9d HC solutions.                                systems, and GBIS releases are now operational.\n                                                            Additionally, in FY 2009, IT&S completed an agency-\n2. Information Technology Management and Security.          wide rollout of an enhanced Time and Attendance\nAs GPO transforms to a highly efficient and secure          application (WebTA). The following areas are sig-\nmultimedia digital environment, management of               nificant IT issues confronting the Agency:\n\n\n\n\n                                                            S e m i a n n u a l r e p o r t t o c o n g r e ss           11\n\x0c     a.\tCompliance with the Federal Information Security       preservation subsystem (accessible to GPO inter-\n        Management Act                                         nal users only); and the access subsystem for pub-\n     Because GPO provides services to executive branch         lic content access and dissemination. A multi-year,\n     agencies that must comply with the Federal Information    multi-release integration effort will design, procure,\n     Security Management Act (FISMA) of 2002, GPO chose        develop, integrate, and deploy select technologies\n     to substantially comply with the principles of the Act.   and components of FDsys.\n     Complying with FISMA presents additional chal-                  The OIG is responsible for the IV&V work associ-\n     lenges for IT&S, including protecting sensitive Agency    ated with developing and implementing FDsys. We con-\n     systems, information, and data. During FY\xc2\xa02007, the       tracted with American Systems to conduct program-\n     OIG conducted a baseline assessment of compliance         matic and technical evaluations of the FDsys Program\n     with FISMA to identify any gaps and deficiencies in       and determine whether system implementation com-\n     GPO\xe2\x80\x99s overall information security program, includ-       plies with the FDsys project plan and cost plan as well\n     ing critical systems. We completed a full FISMA assess-   as meets GPO requirements. The IV&V effort also moni-\n     ment in FY\xc2\xa02009. The scope included evaluating GPO        tors development and program management practices\n     progress in complying with FISMA based on the 2007        and processes to anticipate potential issues.\n     assessment. Our most recent assessment noted that               The FDsys Program has undergone substantial\n     while GPO has made some progress in complying with        changes since its inception. During the fall of 2007, the\n     FISMA, additional improvements are needed. Many of        schedule and scope for the first release was changed\n     the weaknesses identified during the FY 2007 baseline     significantly and a final release with a reduced scope\n     assessment still exist.                                   was planned for late 2008. In early 2008, GPO imple-\n          Looking forward, the potential changes to            mented a reorganization of the program with respect\n     FISMA resulting from draft legislation currently          to Government and contractor participation and\n     before Congress present IT&S with areas to monitor        responsibilities and implemented a new design for\n     and incorporate into GPO\xe2\x80\x99s FISMA planning process.        FDsys. The GPO FDsys Program Management Office\n     b.\tImplementation of the Federal Digital System           (PMO) assumed from the contractor the role of Master\n     FDsys will be a comprehensive information life-cycle      Integrator. The PMO also assumed responsibility for\n     management system that will ingest, preserve, pro-        designing and managing system development. The\n     vide access to, and deliver content from the three        original Master Integrator contractor and other con-\n     branches of the Federal Government. The system            tractors were assigned system development roles\n     is envisioned as a comprehensive, systematic, and         under the overall guidance of the PMO.\n     dynamic means of preserving electronic content                  In January 2009, GPO deployed a public beta ver-\n     free from dependence on specific hardware and/            sion of the FDsys access subsystem, which employed\n     or software. FDsys has three major subsystems: the        8 of the 55 data collections in the GPO Access system.\n     content management subsystem and the content              The content management and content preservation\n\n\n\n\n12   Off i c e o f I n s p e c t o r G e n e r a l\n\x0csubsystems, supporting the Internal Service Provider,      COOP effort can be completed. The COA concept is\nCongressional Publishing Specialist, Preservation          scheduled to be operational August 2010. The most\nSpecialist, and Report user roles, were released in        recent completion date for a full COOP capability is\nlate March of 2009. Since deployment, the PMO has          December 2010.\nupdated and upgraded the beta system and corrected               A more troublesome concern for the FDsys\ndeficiencies identified during testing.                    Program is the quality of the deployed system. While\n      During this reporting period, the PMO com-           the testing effort has improved and become more\npleted the deployment of several post-Release 1 pro-       rigorous, the test team continues to identify numer-\nduction builds. Despite these deployments, however,        ous software problems prior to deployment of major\nFDsys Release 1 is still not complete and close to 4       production builds. The problems, documented as\nyears have elapsed since inception of the Program          Problem Tracking Reports (PTRs), describe errors or\nin August 2006. The beta system contains less than         deficiencies in system operation and failures to meet\nhalf (only 25) of the GPO Access Collections. Both         expected performance. With each deployment the\nGPO Access and FDsys must be operational to ensure         number of PTRs has grown, and hundreds of PTRs\nthat all GPO content is available to the public. The       remain open. The ongoing need to resolve and close\nContinuity of Operations (COOP) capability, a criti-       the PTRs consumes program resources and reduces\ncal step in the transition from GPO Access to FDsys        PMO ability to develop and deploy new functionality.\nas the \xe2\x80\x9csystem of record,\xe2\x80\x9d is not yet implemented.               This brief assessment does not mean to imply that\n      In addition, as of Februar y 28, 2010, GPO           the Program lacks effort or has failed to produce a via-\nexpended $36.5 million (unaudited) to deploy Release       ble product. The FDsys beta system has received praise\n1, substantially exceeding the original planned cost of    for its look, feel, and ease of use. The PMO has also dealt\n$16 million. This expenditure has yet to produce a final   with external commitments and requests (for example,\nversion of Release 1, and a beta version of the release    availability of bulk data) that have altered the internal\ncontains considerably less functionality in terms of the   priorities and resulted in the delay of work on devel-\nsystem requirements than originally planned.               opment of the capabilities envisioned for FDsys. The\n      A complete IV&V assessment of the quality of         OIG believes that the primary challenges for the FDsys\nthe FDsys Program 6 months into FY 2010 remains            Program are in the areas of program management, sys-\ndifficult at this time, but several concerns should be     tem engineering leadership, and technical direction\nhighlighted. First, although the Program has met its       as well as an adequate test program for the FDsys sys-\ninitial goal of fielding a beta system, the PMO is still   tem. The goal of our on-going IV&V efforts is to report\nhaving difficulty closing out Release 1. Recently, the     key risks and issues to the PMO and management and\nPMO published an initial Release 1 Completion Plan,        provide value-added recommendations that will help\ndelineating high-level milestones required for the         mitigate those risks.\n\xe2\x80\x9csunsetting\xe2\x80\x9d of GPO Access and the establishment of        c.\tOther Challenges\nFDsys as the GPO system of record. Although the plan       On August 23, 2009, GPO\xe2\x80\x99s Persistent Uniform\nis a good start, if the PMO fails to effectively manage    Resource Locator (PURL)4 server failed, causing sig-\nthe plan in areas such as tracking costs, schedule, and    nificant downtime for Federal depository librar-\nresources, the overall goal of completing Release 1 by     ies across the United States in disseminating U.S.\nthe end of FY 2010 may not be achieved.                    Government information. Surprisingly, no backup\n      Another concern is the apparent change in the        plan existed, and IT&S could not provide the nec-\ncriteria the PMO previously identified as a prerequisite   essary software application support for the rebuild\nfor \xe2\x80\x9csunsetting\xe2\x80\x9d GPO Access. This criteria included the    process. As a result, GPO ended up outsourcing the\navailability of a full COOP capability. According to the\nRelease 1 Completion Plan, this capability will not be     4\n                                                            \xe2\x80\x82PURLs are Web addresses that act as permanent\ninitially available. Instead, the PMO intends to create    identifiers for changing Web infrastructure. PURLs are\na Continuity of Access (COA) Instance until the entire     persistent because once established, a PURL does not\n                                                           change although a Web page may change.\n\n\n\n                                                           S e m i a n n u a l r e p o r t t o c o n g r e ss            13\n\x0c     building of a \xe2\x80\x9cbridge of stability\xe2\x80\x9d for the current sys-\n     tem. Ultimately, we believe that FDsys will address\n     persistent identification of content requirements,\n     but at present there is no timeline to complete this\n     transition.\n          As a result of the server failure, we initiated an\n     inspection to determine what caused the server to fail,\n     why no backup capability was available, and why IT&S\n     could not support the rebuild process. The results of\n     our inspection could identify lessons learned to help\n     prevent similar incidents from occurring. We expect to\n     issue a report during the next reporting period.\n\n     3. Security and Intelligent Documents. As the\n     Federal Government\xe2\x80\x99s leading provider of secure\n     credentials and identity documents, Security and\n     Intelligent Documents (SID) is a business unit that\n     management believes best exemplifies the Agency\xe2\x80\x99s\n     transformation toward high-technology production.\n     During this reporting period, SID reported successful\n     manufacturing for the Department of State of more\n     than 5.5 million electronic passports (e-Passport).\n     The Washington, D.C., facility produced more than\n     3.7 million passports while the Secure Production\n     Facility (SPF) located at a COOP site in Stennis,\n     Mississippi, produced more than 1.8 million pass-             to implement necessary internal controls over e-Pass-\n     ports. The FY 2010 production target volume for the           port supply chain security.\n     Department of State is a total of 11 million passports.             SID continues to operate the Washington, D.C.-\n           During this reporting period, the OIG issued a final    based Secure Credential Center (SCC), which supports\n     audit report on the security of the e-Passport supply         the Department of Homeland Security\xe2\x80\x99s Customs and\n     chain. This report is the latest product resulting from the   Border Protection (DHS/CBP) Trusted Traveler Programs\n     OIG\xe2\x80\x99s continuing oversight of the e-Passport production       (TTP).5 SCC also produces, personalizes, and distributes\n     process. As further noted in the OAI section, the audit       the Department of Health and Human Services Center\n     identified that the e-Passport supply chain security pro-     for Medicare and Medicaid Service\xe2\x80\x99s (CMS) Medicare\n     cess was largely informal and GPO offices with overlap-       identification cards to citizens of Puerto Rico. As opposed\n     ping responsibility should have been coordinating their       to blank e-Passport production, which does not entail the\n     work efforts rather than working autonomously.                \xe2\x80\x9cpersonalization\xe2\x80\x9d of the credential with a citizen\xe2\x80\x99s per-\n           Such an informal and uncoordinated process              sonal information, the TTP and CMS programs entail the\n     led to insufficient security audits of critical e-Passport    use of PII by GPO to produce identity cards.\n     suppliers, lack of contractual control over subcontrac-             During this reporting period, the OIG began\n     tors providing e-Passport components, lack of contrac-        an audit of GPO\xe2\x80\x99s secure personalization system\n     tor security plans or security-related requirements and       (SECAPS) information technology security controls.\n     lack of required contract file documentation for some         SECAPS is the baseline for personalization operations\n     suppliers. Management concurred with our recom-\n                                                                   5\n     mendations to strengthen the security of the e-Pass-            \xe2\x80\x82TTPs provide expedited travel for preapproved, low-risk\n                                                                   travelers through dedicated lanes and kiosks by providing\n     port supply chain. We will monitor management\xe2\x80\x99s plan          them secure identification cards.\n\n\n\n14   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cthat support various GPO customer identity card pro-\ngrams, including TTP and CMS. The audit will deter-\nmine whether a requisite level of information technol-\nogy security controls is being applied to help ensure\ndata integrity, data confidentiality, and system avail-\nability. Because SECAPS handles PII, the OIG is plac-\ning particular audit emphasis on security controls\nover PII. The audit includes a security evaluation of\nSECAPS physical controls, system interconnections\nand the transmission of PII, operating systems and\ndatabase systems supporting SECAPS, and purging\nof PII.\n      Standards promote industry best practices for\noccupational health and safety standards and pro-\ngrams in a production environment. SID reported\nthe continuation of 5S audits at both plant locations.\n5S is a series of defined steps and audits intended to      to more comprehensively serve Federal Government\nimprove efficiencies in manufacturing process flows,        organizations in the area of secure credentials. SID is\nequipment usage and placement, and environmental            also working to develop the capability to manufacture\nhousekeeping standards. According to SID, both loca-        secure blank card bodies through the procurement of\ntions (the District of Columbia and Stennis) continued      card lamination and punch equipment and technolo-\nto refine and formalize standard operating procedures       gies that will result in more secure and controlled card\nused in the planned ISO 9000 audits and certification       production as well as lower costs and better service to\nprocess.6 Additionally, SID is working to complete          GPO\xe2\x80\x99s agency customers.\na library of standard operating procedures that will              GPO, in cooperation with the Department of State\xe2\x80\x99s\nunderpin and lay the foundation for the OHSAS 18001         Bureau of Consular Affairs, plans to issue a Request for\ncertification at a future date.7                            Proposal during FY 2010 for procurement of e-Cov-\n      SID reported that it also continues its work to       ers used in the manufacturing of U.S. Passports. The\ncomplete the certification process for SCC to become a      proposed e-Covers will be compatible with existing\nfacility qualified to handle, personalize, and distribute   GPO manufacturing and Department of State pass-\nHomeland Security Presidential Directive 12 (HSPD-          port personalization processes, and will be required\n12) cards. SID expects certification sometime during        to meet various external applicable requirements and\nthe next reporting period. Completion will allow SCC        standards, including those of the International Civil\n                                                            Aviation Organization (ICAO) and ISOs.\n                                                                  Because of SID\xe2\x80\x99s growing strategic importance\n6\n  \xe2\x80\x82ISO (International Organization for Standardization)\n                                                            for the Agency\xe2\x80\x99s transformation efforts and its sensi-\nis the world\xe2\x80\x99s largest developer and publisher of\nInternational Standards. The ISO 9000 family of standards   tive work in areas of national security, the OIG will\nrepresents an international consensus on good quality       closely monitor management\xe2\x80\x99s efforts in developing\nmanagement practices. It consists of standards and          formal, internal security controls of these products\nguidelines relating to quality management systems and\nrelated supporting standards.                               and continue to emphasize oversight of production\n7\n  \xe2\x80\x82OHSAS 18001 is an Occupation Health and Safety           and transportation processes.\nAssessment Series for health and safety management\nsystems. It is intended to help an organization control\n                                                            4. Internal Controls. GPO management establishes and\noccupational health and safety risks. It was developed\nin response to widespread demand for a recognized           maintains a system of internal controls for effective\nstandard against which to be certified and assessed.        and efficient operations, reliable financial reporting,\n\n\n\n\n                                                            S e m i a n n u a l r e p o r t t o c o n g r e ss         15\n\x0c     and compliance with laws and regulations. Almost all\n     OIG audits include assessments of a program, activity,\n     or function\xe2\x80\x99s control structure and the OIG has several\n     ongoing audits that are assessing internal controls.\n           Of concern, however, is that our audits continue\n     to identify issues related to internal controls. For exam-\n     ple, we issued during this reporting period a report of\n     an audit that reviewed and evaluated internal controls\n     associated with the security of GPO\xe2\x80\x99s e-Passport sup-\n     ply chain. As part of that evaluation, we determined\n     whether GPO had formal documented policies, proce-\n     dures, techniques, or mechanisms in place to imple-\n     ment a security process for its e-Passport supply chain      5. Protection of Sensitive Information. GPO must\n     and whether an organizational structure was in place         establish rules of conduct and appropriate admin-\n     that clearly defined key areas of authority, responsi-       istrative, technical, and physical safeguards that\n     bility, and appropriate lines of reporting for e-Pass-       will adequately identif y and protect sensitive\n     port supply chain security. We identified that a control     information. Failure to do so could result in harm,\n     deficiency existed because GPO did not have a for-           embarrassment, inconvenience, or unfairness to\n     mal, Agency-wide process for ensuring security for the       individuals and GPO, including possible litiga-\n     e-Passport supply chain as basic Federal Government          tion. Of particular importance is the need to safe-\n     internal control standards require.                          guard against and respond to the breach of PII. This\n           The annual financial statement audit also              includes PII contained in information systems as\n     addresses internal control issues and provides man-          well as paper documents. In accordance with OMB\n     agement with recommended corrective actions.                 Memoranda 06-15 and 07-16, executive branch\n     Although management recognizes the need for                  agencies had to implement policies and procedures\n     improving the internal control environment to suc-           to protect and respond to the breach of PII as far\n     cessfully implement its strategic vision and planned         back as the middle of 2007.\n     future initiatives, Agency action is important because             As noted in previous reporting periods, the OIG\n     of implementation of Statement on Auditing Standards         advised GPO of its concerns regarding protection of sen-\n     (SAS) No.\xc2\xa0112, \xe2\x80\x9cCommunicating Internal Control               sitive information, including PII. FISMA requires each\n     Related Matters Identified in an Audit.\xe2\x80\x9d SAS No.\xc2\xa0112         agency to establish rules of conduct for persons involved\n     establishes standards and provides guidance on com-          with PII, establish safeguards for PII, and maintain\n     municating matters related to an entity\xe2\x80\x99s internal con-      accurate, relevant, timely and complete PII information.\n     trol over financial reporting identified in a financial      As reported in OIG Report 07-09 \xe2\x80\x93 \xe2\x80\x9cGPO Compliance\n     statement audit. The standard requires that the auditor      with the Federal Information Security Management\n     communicate control deficiencies that are \xe2\x80\x9csignificant       Act (FISMA),\xe2\x80\x9d dated September 27, 2007, and again in\n     deficiencies\xe2\x80\x9d and \xe2\x80\x9cmaterial weaknesses.\xe2\x80\x9d                     our FISMA Report 10-03 dated January 12, 2010, GPO\xe2\x80\x99s\n           As further discussed in the OAI section, during        IT&S Division is making progress in protecting PII con-\n     the FY 2009 financial statement audit, KPMG iden-            tained in information systems. However, at the comple-\n     tified two significant internal control deficiencies it      tion of our latest assessment, GPO had not designated\n     did not consider material weaknesses. The signifi-           an official responsible for managing and monitoring the\n     cant deficiencies identified by KPMG were related to         Agency\xe2\x80\x99s privacy compliance efforts. As a result, privacy\n     (1) financial reporting controls, and (2) information        requirements have not been adequately identified and\n     technology (IT) general and application controls. An         communicated to other responsible officials.\n     evaluation of internal controls will continue to be an             We are encouraged though that progress has\n     area of emphasis on all OIG audits.                          occurred in this area during this reporting period.\n\n\n\n16   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cWe recognize that management concurred with our           goods and services, especially those necessary to\nprevious recommendations that GPO immediately             transform the Agency and provide services to its\nidentify any contracts and contractors handling           Federal customers, in an efficient, effective, account-\nPII, review security requirements, request security       able, and environmentally conscious manner is essen-\nplans, conduct on-site surveys and inspections, and       tial. With more than $675 million in acquisitions dur-\nappoint a GPO Privacy Officer who will establish          ing FY 2009, we remain concerned that the Agency\nand oversee a comprehensive sensitive information         has not devoted the resources necessary to conduct\nprotection program. Indeed, during this reporting         independent assessments of Acquisition Services\nperiod, GPO issued two Directives addressing PII.         that clearly identify gaps in effective performance\nThe first one, Directive 110.15C, \xe2\x80\x9cU.S. Government        and implement a plan for resolving critical issues,\nPrinting Office Contract Review Board (CRB),\xe2\x80\x9d dated       as required for executive branch agencies under the\nMarch 29, 2010, prescribes the functions, the com-        Services Acquisition Reform Act of 2003 and OMB\nposition, and the responsibilities of GPO\xe2\x80\x99s CRB and       guidelines.\naddresses PII issues related to print contract awards           Last year OMB provided guidelines to executive\ninvolving PII. The CRB provides an objective and          branch agencies to conduct internal reviews of the\nindependent review of select proposed procure-            acquisition function required under OMB Circular No.\nment actions of Print Procurement or Acquisition          A-123. OMB used the GAO \xe2\x80\x9cFramework for Assessing\nServices for compliance with applicable GPO and           the Acquisition Function at Federal Agencies\xe2\x80\x9d as the\nGovernment laws, polices, and procedures. The             standard assessment approach.8 Although GPO is not\nDirective specifically states that for awards involv-     required to follow OMB guidelines in that area, we\ning PII or other sensitive information, before the        believe that the Agency would benefit from performing\ncontract is awarded, contracting officers must pro-       that review process of Acquisition Services. We look\nvide the CRB with \xe2\x80\x9csigned and dated confirmation          forward to the results of the independent assessment\nfrom the GPO\xe2\x80\x99s Federal agency customer that the           that the Public Printer announced in his November\nproposed awardee meets all PII or sensitive infor-        30, 2009, letter to Congress.\nmation handling requirements . . . [and] a copy of              We are also concerned about other specific\nthe security plan. . . .\xe2\x80\x9d                                 issues regarding agency contract administration, as\n      Directive 825.41, \xe2\x80\x9cProtection of Personally         evidenced in part by our recent audit of the security\nIdentifiable Information,\xe2\x80\x9d dated March 30, 2010,          of the e-Passport supply chain. As our audit of the\nestablishes a framework for the protection of PII         e-Passport supply chain revealed, of the 10 signifi-\nat GPO. Under the Directive, the Public Printer           cant e-Passport supplier contracts reviewed, 5 lacked\nwill appoint a person at the senior manager level         critical information that the Agency\xe2\x80\x99s Materials\nas Privacy Officer (PO) who will implement the            Management Acquisition Regulation (MMAR)\nDirective. The first tasks the PO will undertake will     requires. Such contract file information is critical to\nbe review of PII held by all business units, reduce PII   our office so we can review and investigate Agency\nto the minimum necessary, develop a schedule for          contracting actions and administration. Acquisition\nperiodic review of PII, establish a plan to eliminate     Services should comply with the MMAR by properly\nthe unnecessary collection and use of social secu-        documenting contract files.\nrity numbers, and establish an incident response                In addition, we are concerned that a signifi-\nplan to handle breaches of PII. We will monitor           cant number of e-Passport supplier contracts did\nimplementation of Directive 825.41 to ensure that         not contain security-related requirements or lan-\nsafeguards are in place, implemented, and followed.       guage that would have given the Agency the right to\n                                                          review, authorize the subcontracting of, and inspect\n6. Acquisitions and Print Procurement. As with other\nFederal agencies across the Government, GPO faces         8\n                                                            \xe2\x80\x82GAO Report GAO-05-218G, September 2005, http://\nchallenges in its acquisition functions. Acquiring        www.gao.gov/new.items/d05218g.pdf.\n\n\n\n                                                          S e m i a n n u a l r e p o r t t o c o n g r e ss        17\n\x0c     the operations of companies that provide critical         nesses, KPMG identified two significant deficiencies\n     components for the e-Passport. Acquisition Services       it did not consider material weaknesses, including\n     should work in coordination with the Office of            (1) financial reporting controls, and (2) information\n     General Counsel and SID to ensure that all con-           technology (IT) general and application controls.9\n     tracts related to the e-Passport, and other sensitive           With respect to financial reporting controls, KPMG\n     identity products, include such language to ensure        identified specific deficiencies concerning the review\n     proper security plans and oversight rights.               and reporting of general property, plant and equipment;\n          Finally, as discussed below on the issue of          certain reconciliation controls; and controls over com-\n     environmental stewardship, GPO\xe2\x80\x99s Acquisition              pilation of statement of cash flows. Deficiencies with the\n     Services should develop a goal of advance sus-            design and/or operations of GPO\xe2\x80\x99s IT general and appli-\n     tainable acquisition. Executive Order 13514, dated        cation controls were noted in security management,\n     October 5, 2009, requires executive branch agen-          access controls, configuration management, and con-\n     cies to ensure that 95 percent of applicable con-         tingency planning. Financial management and perfor-\n     tracts meet sustainability requirements. We rec-          mance and the Agency\xe2\x80\x99s ability to provide timely, accu-\n     ommend that GPO set an equally ambitious goal as          rate, and useful financial information will continue to\n     part of its sustainable procurement agenda.               be a management concern.\n\n     7. Financial Management and Performance. Over the         8. Continuity of Operations. GPO\xe2\x80\x99s ability to con-\n     years, financial management and performance has           tinue its mission essential functions of congres-\n     been identified by many agencies, including GPO, as       sional printing and publishing, production of the\n     a significant management challenge. Federal agencies      Federal Register, and production of blank passport\n     continue to face challenges providing timely, accurate,   books for the Department of State during a disrup-\n     and useful financial information and managing for         tion in operations continues to be a significant area\n     results. Better budget and performance integration has    of concern. The power loss incident in 2009, which\n     become even more critical for results-oriented manage-    directly affected production of the Congressional\n     ment and efficient allocation of scarce resources among   Record, brought the issue of COOP to the foreground\n     competing needs. OIG auditors and the contractors they    and underscored the critical nature of the Agency\xe2\x80\x99s\n     oversee are vital in keeping the Federal Government\xe2\x80\x99s     ability to continue essential functions during a dis-\n     financial information and reporting transparent, valid,   ruption of operations. A public-facing server outage\n     and useful to agency decision makers and other stake-     in 2009 also raised issues concerning capability of\n     holders. GPO has completed migration of current busi-     GPO to maintain communications with external\n     ness, operational, and financial systems, including       stakeholders and employees during a COOP event to\n     associated work processes, to an integrated system of     include Web-based content as well as e-mail.\n     Oracle enterprise software and applications known as           The Agency continues to take the necessary steps\n     the Oracle E-Business Suite. The new system is intended   for enhancing its COOP posture, including planning\n     to provide GPO with integrated and flexible tools that    and conducting exercises with scenarios that tested\n     support business growth and customer technology           alternate production facilities and procedures for\n     requirements for products and services.                   notifying essential personnel. Accomplishments\n          The OIG continues to oversee the activities of\n     KPMG, the IPA conducting the annual financial             9\n                                                                 \xe2\x80\x82A significant deficiency is defined as a deficiency, or\n     statement audit. KPMG expressed an unqualified            combination of deficiencies, in internal control that is less\n                                                               severe than a material weakness, yet important enough\n     opinion on GPO\xe2\x80\x99s FY 2009 financial statements, stat-\n                                                               to merit attention by those charged with governance.\n     ing that the Agency\xe2\x80\x99s financial statements were fairly    A material weakness is a deficiency, or combination\n     presented, in all material respects, and in confor-       of deficiencies, in internal control, such that there is a\n                                                               reasonable possibility that a material misstatement of\n     mity with generally accepted accounting principles.\n                                                               the entity\xe2\x80\x99s financial statements will not be prevented, or\n     Although GPO addressed previous material weak-            detected and corrected on a timely basis.\n\n\n\n18   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cduring the most recent reporting period included an       tinue these efforts to enhance business development\nExecutive Offices COOP exercise in February 2010.         and customer service and measure their level of suc-\nThis exercise was the first involving executive leader-   cess to ensure a culture of continuous improvement.\nship and some support units, and included relocation           Nevertheless, after almost six years, the Agency\xe2\x80\x99s\nto a non-GPO facility for strategy and decision making.   Strategic Vision, which was issued on December 4,\nThe primary goal of the exercise was to familiarize the   2004 and included a Business Plan from FY 2005\nnecessary people with the procedures and situation of     through 2009, is itself in need of review and updat-\nworking out of a non-GPO building to manage the first     ing. The Agency should review its transformational\nphase of a COOP event. Although all of the exercise\xe2\x80\x99s     efforts to date to measure its accomplishments, its\ngoals were demonstrated, areas needing improvement        shortcomings, and its renewed vision for the future.\nwere identified and recommendations were made to\nfurther improve the Agency\xe2\x80\x99s COOP posture.                10. Sustainable Environmental Stewardship. As the\n                                                          largest industrial manufacturer in the District of\n9. Strategic Vision and Customer Service. To achieve      Columbia, GPO has always faced challenges to\nits objectives as a 21st Century information process-     become more environmentally sensitive. The Public\ning and dissemination operation, GPO management           Printer has made central to his administration \xe2\x80\x9cthe\nmust maintain the appropriate focus, staffing, and        call to sustainable environmental stewardship\xe2\x80\x9d and\nalignment with the Agency Strategic Vision. The cul-      to attempt to be \xe2\x80\x9cgreen\xe2\x80\x9d in virtually every step of\nture and focus of customer service efforts must reflect   the printing process. Previously, the Public Printer\na new way of thinking, and customers should come          outlined a plan that would help GPO become more\nto GPO because they want\xe2\x80\x94not because they must.           efficient and make better use of resources under\nTransformation of the traditional GPO customer            its control. More recently, the Public Printer noted\nrelationship requires a continuing evolution toward       that a future based on environmental sustainabil-\nstate-of-the-art customer relations management.           ity is more than simply going \xe2\x80\x9cgreen,\xe2\x80\x9d but rather \xe2\x80\x9cit\n      In line with its Strategic Vision, GPO previously   means expanding our digital operations and mak-\nreorganized several business units to better serve its    ing changes in paper, inks, equipment configura-\nvarious Government customers. This realignment            tions, and energy sources so that we can support\nof business units was initiated to help streamline        our customers in Congress, Federal agencies, and\nprocesses, strengthen customer relationships, and         the public in a more efficient and environmentally\ndevelop new sales opportunities. GPO should con-          responsible way.\xe2\x80\x9d\n\n\n\n\n                                                          S e m i a n n u a l r e p o r t t o c o n g r e ss        19\n\x0c           We reported in our previous semiannual report     provide training on making purchases that are envi-\n     that GPO was printing the Congressional Record on       ronmentally sound and comply with the spirit of the\n     paper comprising 100 percent post-consumer waste.       order. These and other stewardship initiatives will\n     GPO is also printing the Federal Register on 100 per-   require a top-to-bottom and bottom-to-top commit-\n     cent post-consumer waste paper. Progress contin-        ment. Employee empowerment and training will be\n     ues on other initiatives including, moving from Web     absolutely necessary for the Agency to achieve its\n     offset presses to digital equipment, accelerating the   goals and sustain them.\n     re-engineering of business processes, conducting             We noted in our previous report that GPO\xe2\x80\x99s envi-\n     energy audits, and installing a green roof.             ronmental executive recommended to the OIG issues\n           We continue to encourage management and           to explore with the GPO legislative branch counter-\n     Congress to renew their efforts to evaluate a new       parts. Those recommendations include the following:\n     facility that would more appropriately meet Agency      \xe2\x80\xa2\t consolidating waste hauling contracts to obtain a\n     needs and be more energy efficient. A more energy          more favorable rate for recycled goods as well as\n     efficient and environmentally conscious facility           ensure that each agency can participate in recy-\n     not only fits with the Agency\xe2\x80\x99s environmental stew-        cling efforts.\n     ardship initiative but also meets the environmen-\n                                                             \xe2\x80\xa2\t consolidating standard goods purchasing, such as\n     tal and economic objectives for Congress and the\n                                                                cafeteria supplies, cleaning chemicals, and paper\n     Administration.\n                                                                (in all its forms), to reduce cost and ensure each\n           We also encourage management to promote\n                                                                agency is using the \xe2\x80\x9cgreenest\xe2\x80\x9d products available.\n     and incorporate green thinking into all business\n     processes through performance metrics, reward           \xe2\x80\xa2\t sharing service contracts to achieve economies\n     programs, and other means. For example, we                 of scale and uniformity throughout the legislative\n     urge an integrated approach to green acquisition.          branch agencies.\n     In October 2009, the President issued E.O. 13514,             The legislative branch OIGs have reviewed the\n     which sets sustainability goals for Federal agen-       issues and are exploring crosscutting review oppor-\n     cies and focuses on making improvements in their        tunities. We again encourage management to address\n     environmental, energy, and economic performance.        these issues directly with officials in other legislative\n     In particular, the Executive Order advances sus-        branch agencies.\n     tainable acquisition by ensuring that 95 percent              We have included in our work plan a review of\n     of new contract actions including task and deliv-       energy use at GPO to determine whether a compre-\n     er y orders for products and services (with the         hensive plan exists for implementing energy-related\n     exception of acquisition of weapon systems) are         projects, as part of an overall plan that helps reduce\n     energy-efficient (such as Energy Star or Federal        emissions, energy consumption, and energy costs.\n     Energy Management Program designated), water-           We look forward to working with Agency personnel\n     efficient, bio-based, environmentally preferable        in achieving a long-term and sustainable environ-\n     (for example, Electronic Product Environmental          mental stewardship program.\n     Assessment Tool certified), non-ozone depleting,\n     contain recycled content, or are non-toxic or less-\n     toxic alternatives, where such products and ser-\n     vices meet an agency\xe2\x80\x99s performance requirements.\n     Although not required to adhere to the Executive\n     Order, we urge that management adopt its tenets\n     and develop written polices for purchasing envi-\n     ronmentally sustainable goods and services, moni-\n     tor compliance annually and fix shortcomings, and\n\n\n\n\n20   Off i c e o f I n s p e c t o r G e n e r a l\n\x0co f f i c e o f au d i t s\na n d inspections\n\n\n\n\nA\n         s the IG Act requires, OAI conducts independent and objec-\n         tive performance and financial audits relating to GPO oper-\n         ations and programs, and oversees the annual financial\nstatement audit conducted by an IPA firm under contract. OAI also\nconducts short-term inspections and assessments of GPO activities\ngenerally focusing on issues limited in scope and time. OIG audits are\nperformed in accordance with generally accepted government audit-\ning standards that the Comptroller General of the United States issues.\nWhen requested, OAI provides accounting and auditing assistance for\nboth civil and criminal investigations. OAI refers to OI for investiga-\ntive consideration any irregularities or suspicious conduct detected\nduring audits, inspections, or assessments.\n\n\nA . Summary of Audit and\nInspection Activit y\nDuring this reporting period, OAI issued six new audit and assessment\nreports. Those 6 reports contained 45 recommendations for improving\nGPO operations, including strengthening internal controls throughout\nthe Agency. OAI continued its work with management to close open\nrecommendations carried over from previous reporting periods. As of\nMarch 31, 2010, a total of 52 recommendations from previous report-\ning periods remain open.\n\n\nB. Financial Statement Audit\n(Audit Report 10-02, Issued January 8, 2010)\nFederal law requires that GPO obtain an independent annual audit\nof its financial statements, which the OIG oversees. KPMG conducted\nthe FY 2009 audit under a multiyear contract for which OAI serves\nas the Contracting Officer\xe2\x80\x99s Technical Representative (COTR). The\noversight ensures that the audit complies with Government Audit\nStandards. OAI also assisted with facilitating the external audi-\ntor\xe2\x80\x99s work as well as reviewing the work performed. In addition,\n\n\n\n\n                 S e m i a n n u a l r e p o r t t o c o n g r e ss       21\n\x0c                                                               and has either planned or initiated responsive cor-\n                                                               rective action.\n\n\n                                                               C. Audit and Inspection Reports\n\n                                                               1. Assessment Report 10-01\n                                                               (Issued December 2, 2009)\n\n                                                               Federal Digital System (FDsys) Independent\n                                                               Verification and Validation \xe2\x80\x93 Ninth Quarter\n                                                               Report on Risk Management, Issues,\n     OAI provided administrative support to the KPMG           and Traceability\n     auditors and coordinated the audit with GPO man-          The GPO FDsys program is intended to modernize\n     agement. OIG oversight of KPMG, as differentiated         the GPO information collection, processing, and\n     from an audit in accordance with Government Audit         dissemination capabilities it performs for the three\n     Standards, was not intended to enable us to express,      branches of the Federal Government. During this\n     and accordingly we did not express, an opinion on         reporting period, the OIG continued to oversee the\n     GPO\xe2\x80\x99s financial statements, the effectiveness of          efforts of American Systems as it conducted IV&V for\n     internal controls, or compliance with laws and reg-       the public release of FDsys. As part of its contract with\n     ulations. However, our oversight, as limited to the       the OIG, American Systems is assessing the state of\n     procedures outlined earlier, disclosed no instances       program management, technical and testing plans,\n     in which KPMG did not comply, in all material             and other efforts related to the rollout of Release 1.\n     respects, with Government Audit Standards.                The contract requires that American Systems issue\n           KPMG issued an unqualified opinion on GPO\xe2\x80\x99s         to the OIG a quarterly Risk Management, Issues, and\n     FY 2009 financial statements, stating that the            Traceability Report, providing observations and rec-\n     Agency\xe2\x80\x99s financial statements were fairly presented,      ommendations on the program\xe2\x80\x99s technical, schedule,\n     in all material respects, and in conformity with gener-   and cost risks as well as requirements traceability\n     ally accepted accounting principles. KPMG identified      of those risks and the effectiveness of the program\n     two significant deficiencies, which it did not consider   management processes in controlling risk avoidance.\n     to be material weaknesses. Those deficiencies were:            This ninth quarterly report, which was for the\n     (1) financial reporting controls and (2) information      period July 1, 2009, through September 30, 2009, iden-\n     technology (IT) general and application controls.         tifies a number of technical risks associated with\n           With respect to financial reporting controls,       FDsys configuration management and risk man-\n     KPMG identified specific deficiencies concerning          agement activities. The report contains 11 recom-\n     the review and reporting of general property, plant       mendations designed to strengthen these activities.\n     and equipment; certain reconciliation controls; and       Management generally concurred with the recom-\n     controls over compilation of statement of cash flows.     mendations and has either taken or proposed respon-\n     Deficiencies with the design and/or operations of         sive corrective actions.\n     GPO\xe2\x80\x99s IT general and application controls were noted\n     in security management, access controls, configura-       2. Assessment Report 10-03\n     tion management, and contingency planning.                (Issued January 12, 2010)\n           KPMG did not disclose any instances of non-         GPO\xe2\x80\x99s Compliance with the Federal Information\n     compliance with certain provisions of laws, regula-       Security Management Act\n     tions, and contracts or other matters required to be\n                                                               FISMA requires that each executive branch agency\n     reported under Government Audit Standards. KPMG\n                                                               develop, document, and implement an agency-wide\n     made recommendations for each condition and man-\n                                                               program for providing security for the information\n     agement concurred with those recommendations\n\n\n22   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cand information systems that support the opera-\ntions and assets of the agency, including those pro-\nvided or managed by another agency, contractor, or\nother source. Although a legislative branch agency,\nGPO recognizes the need to be FISMA compliant\nbecause the services it provides, including services\nto executive branch agencies. In FY 2007, the OIG\ncontracted with a consulting firm to perform a base-\nline assessment of GPO\xe2\x80\x99s FISMA compliance and to\nevaluate the design and effectiveness of the controls\nover GPO\xe2\x80\x99s information security program, policies,\nand practices.\n     We completed a full FISMA assessment in FY\n2009. The assessment was performed using the\nmost recent applicable FISMA requirements and\nguidelines published by the OMB and the National\nInstitute of Standards and Technology. Significant\nemphasis was placed on evaluating the GPO systems\nused for providing services to client agencies.\n     The OIG issued a sensitive report concluding that\nGPO made some progress in complying with FISMA,\nbut that additional improvements are needed. Many\nof the weaknesses identified during the FY 2007 base-\nline assessment still exist. The OIG made a total of 21\nrecommendations, which, if implemented, will help\nfurther move GPO toward FISMA compliance.\n\n3. Assessment Report 10-04\n(Issued January 19, 2010)\n\nGPO Network Vulnerability Management\nNetwork vulnerability management is the process\nof identifying and protecting systems and appli-\ncations that are potentially vulnerable to attack\nin an organization\xe2\x80\x99s network segment. Identifying\nvulnerabilities is a vital part of an information\nsecurity program. Vulnerabilities present mali-\ncious users with an opportunity to gain unauthor-               GPO\xe2\x80\x99s Passport Printing and Production System\nized access to a system. There are many ways to           (PPPS) is a set of common hardware and software\ndiscover vulnerabilities. For example, automated          integrated with custom printing machinery for the\nscanning tools are typically used to assess systems       purpose of printing, stitching, and binding compo-\nand applications for known vulnerabilities. In addi-      nents of the U.S. passport. Public-facing servers are\ntion, patch management tools can identify systems         Web servers accessible to any computer connected to\nthat haven\xe2\x80\x99t been patched and therefore may pose          the Internet. Access is commonly achieved through\nvulnerabilities. Organizations often use a combina-       a client program known as a Web browser. Web serv-\ntion of those tools as part of an overall vulnerability   ers allow people to submit and query information\nmanagement program.                                       in a common graphic user interface. Public-facing\n\n\n\n                                                          S e m i a n n u a l r e p o r t t o c o n g r e ss      23\n\x0c     servers at GPO include GPO Access and the Federal        that will be defined by stakeholder inputs and PMO\n     Depository Library Program Desktop.                      requirements. These two recommendations were\n           An OIG assessment of the GPO network vulner-       no longer considered applicable as a result of the\n     ability management program focused specifically          change in development approach because the PMO\n     on GPO\xe2\x80\x99s passport production system environment          does not intend to define a final system and comple-\n     and public-facing servers. The overall objective         tion date. Of the remaining four recommendations,\n     of the assessment was to determine whether GPO           three were unresolved because of inadequate pro-\n     maintains a robust and effective vulnerability man-      posed actions by management. The unresolved rec-\n     agement program that can identify and circumvent         ommendations will be followed up on during the\n     common internal and external network threats in          next reporting period.\n     those environments. To accomplish our objectives,\n     we observed and evaluated GPO\xe2\x80\x99s network scanning         5. Audit Report 10-06\n                                                              (Issued March 31, 2010)\n     policies and process, analyzed the implementation\n     of production firewalls and routers, reviewed the        Security of GPO\xe2\x80\x99s e-Passport Supply Chain\n     effectiveness of software configuration and patch        GPO is the sole source for producing U.S. passports\n     management processes, and followed up on out-            for the U.S. Department of State. In FY 2007, GPO\n     standing recommendations from previous network           printed its last legacy passport and began producing\n     vulnerability assessments conducted by the OIG.          only e\xe2\x80\x91Passports to respond to Department of State\n           The OIG issued a sensitive report detailing that   requirements that passports be compliant with the\n     the Agency implemented a robust and effective vul-       International Civil Aviation Organization\xe2\x80\x99s (ICAO)\n     nerability management program that does iden-            standards for international passports. ICAO decided\n     tify and circumvent common internal and external         in favor of using contactless chip technology in pass-\n     network threats related to both the PPPS and pub-        ports that could be inserted into the passport covers\n     lic-facing servers. We also concluded that since our     to enable the storing of biometric and other informa-\n     last assessment the program has been significantly       tion about the passport holder. In FY 2008, the Agency\n     strengthened.                                            produced 23.6 million e-Passports.\n     4. Assessment Report 10-05                                    The e\xe2\x80\x91Passport book GPO produces contains\n     (Issued March 24, 2010)                                  more than 60 commercially available and uniquely\n                                                              assembled materials. Those materials include\n     Federal Digital System (FDsys) Independent               items such as cover stock, security paper, security\n     Verification and Validation (IV&V) \xe2\x80\x93                     inks, security threads, and security functions, both\n     Tenth Quarter Report on Risk Management,                 covert and overt. Suppliers of those materials are\n     Issues, and Traceability                                 located throughout the United States and in several\n     The tenth quarterly report identified a number of        foreign countries. SID selects suppliers and materi-\n     technical risks associated with FDsys development        als in collaboration with the Department of State.\n     practices, system engineering, COOP, existing PTRs,      The Department of State also collaborates with SID\n     and the FDsys test program. American Systems iden-       to perform security assessments of both the sup-\n     tified schedule and cost risks associated with these     pliers of computer chips for the e\xe2\x80\x91Passport as well\n     technical risks. The report contains six recommen-       as for the subcontractor responsible for inserting\n     dations designed to mitigate risks and strengthen        the chips into the passport covers. SID is solely\n     overall management of the FDsys program. Two of          responsible for vetting and performing security\n     the report\xe2\x80\x99s recommendations were subsequently           assessments of the remaining companies that sup-\n     closed as a result of the FDsys program\xe2\x80\x99s decision       ply e-Passport components.\n     to transition to an open-ended development effort             The OIG conducted an audit that assessed\n     with objectives (for example, new functionality)         the adequacy of GPO\xe2\x80\x99s security over its e\xe2\x80\x91Passport\n\n\n\n\n24   Off i c e o f I n s p e c t o r G e n e r a l\n\x0ccomponents and supply chain. The audit identified\nthat the e-Passport supply chain security process\nwas largely informal and that different GPO offices\nwith overlapping e-Passport security responsibili-\nties, such as SID, Acquisitions, Operations Support,\nPlant Operations, and Security Services, were work-\ning autonomously and had not coordinated their\nefforts. GPO should ensure continued security of\nthe e-Passport supply chain by establishing a for-\nmal security oversight process.\n      In particular, because of this informal supply\nchain security process, the audit identified the fol-\nlowing for the 16 suppliers of either significant com-\nponents or operations in the e-Passport supply chain:\n(1) GPO had a total of 16 security assessment reports on\nonly 11 of the 16 suppliers, (2) GPO did not have a direct\ncontractual relationship with 6 of the 16 suppliers, (3)\nof the 10 e\xe2\x80\x91Passport supplier contracts reviewed, 6\ncontracts did not contain security plans or security-        1. Assessment Report 06-02\nrelated requirements, including contracts with a high-       (Issued March 28, 2006)\nrisk supplier and several overseas suppliers, and (4)\n                                                             GPO Network Vulnerability Assessment\nGPO contract files lacked required documentation for\n5 of the 10 e-Passport supplier contracts reviewed and       F i n di ng\ndid not contain evidence that GPO properly vetted the        Although GPO has many enterprise network controls in\nsuppliers to ensure that they could meet GPO require-        place, improvements that will strengthen the network\nments in the most secure and economical manner.              security posture are needed. During internal testing, we\nThe audit also identified that GPO could strengthen          noted several vulnerabilities requiring strengthening of\nthe security process for storing some finished blank         controls. However, no critical vulnerabilities were iden-\ne-Passports and supplies, including the passport book        tified during external testing. Although unclassified,\ncovers containing the inlayed computer chips.                we consider the results of the assessment sensitive and,\n      Recommendations were made to GPO manage-               therefore, limited discussion of its findings.\nment to help further improve the security of the e-Pass-     R e c om m e n dat ion\nport supply chain. GPO management concurred with             The OIG made four recommendations that should\neach of the recommendations and has either already           strengthen internal controls associated with the\nimplemented or planned responsive corrective actions.        GPO enterprise network. Those recommendations\n                                                             should reduce the risk of compromise to GPO data\nD. Status of Open                                            and systems.\nRecommendations                                              M a n ag e m e n t C om m e n t s\n\nManagement officials made progress in implement-             Management concurred with each recommendation\ning and closing many of the recommendations iden-            and initiated corrective action.\ntified during previous semiannual reporting periods.         OIG C om m e n t s\nFor the 52 recommendations still open, a summary of          Two recommendations made in this report remain\nthe findings and recommendations, along with the             open. The OIG reviewed the status of these rec-\nstatus of actions for implementing the recommenda-           ommendations as part of the most recent Network\ntion and OIG comments, follows.                              Vulnerability Assessment completed in January 2010.\n\n\n\n\n                                                             S e m i a n n u a l r e p o r t t o c o n g r e ss          25\n\x0c     The assessment identified that implementation of          R e c om m e n dat ion\n     corrective actions is still ongoing.                      The report contains 11 recommendations that if\n                                                               implemented will help move GPO toward FISMA\n     2. Assessment Report 07-09                                compliance.\n     (Issued September 27, 2007)\n                                                               M a n ag e m e n t C om m e n t s\n     Report on GPO\xe2\x80\x99s Compliance with the Federal               Management concurred with each recommendation\n     Information Security Management Act (FISMA)               and proposed corrective actions.\n\n     F i n di ng                                               OIG C om m e n t s\n     FISMA requires that each executive branch agency          Management continues to work on implementing\n     develop, document, and implement an agency-wide           corrective actions for the seven remaining open\n     program for providing information security for the        recommendations.\n     information and information systems that support\n                                                               3. Assessment Report 08-06\n     operations and assets of the agency, including those\n                                                               (Issued March 31, 2008)\n     provided or managed by another agency, contractor,\n     or other source. Although a legislative branch agency,    Operating System Security for GPO\xe2\x80\x99s Passport\n     GPO recognizes the need to be FISMA compliant             Printing and Production System\n     because of the services it provides, including services\n                                                               F i n di ng\n     to executive branch agencies. The OIG issued a sensi-\n                                                               The PPPS includes various computer applications\n     tive report concluding that although the Agency has\n                                                               and operating systems that support production of\n     taken steps to comply with FISMA, additional prog-\n                                                               passports. The Agency\xe2\x80\x99s Plant Operations Division\n     ress is needed to fully comply.\n                                                               administers PPPS computer applications while its\n                                                               Chief Information Officer (CIO) is responsible for\n                                                               administering PPPS operating systems. If those oper-\n                                                               ating systems are not configured securely, critical\n                                                               computer applications such as databases and custom\n                                                               applications are vulnerable to compromise. The risk\n                                                               associated with compromise to the operating sys-\n                                                               tems hosting such critical applications could result\n                                                               in services being disrupted, sensitive information\n                                                               being divulged, or even subject to forgery. The OIG\n                                                               assessed the security configuration for selected oper-\n                                                               ating systems that support production of passports\n                                                               to determine whether GPO enforces an appropriate\n                                                               level of security.\n                                                               R e c om m e n dat ion\n                                                               The OIG issued a sensitive report containing\n                                                               eight recommendations designed not only to help\n                                                               strengthen security of the PPPS but also reduce the\n                                                               risk of system compromise.\n                                                               M a n ag e m e n t C om m e n t s\n                                                               Management generally concurred with each rec-\n                                                               ommendation and proposed responsive corrective\n                                                               actions.\n                                                               OIG C om m e n t s\n                                                               One recommendation remains open.\n\n\n26   Off i c e o f I n s p e c t o r G e n e r a l\n\x0c                                                          M a n ag e m e n t C om m e n t s\n                                                          Management concurred with each recommendation\n                                                          and stated that implementation would require the\n                                                          Public Printer\xe2\x80\x99s review and approval.\n                                                          OIG C om m e n t s\n                                                          Two recommendations remain open. Management\n                                                          continues with implementation of the remaining\n                                                          essential elements of MD-715 and the leading diver-\n                                                          sity management practices GAO identified.\n\n                                                          5. Assessment Report 08-12\n                                                          (Issued September 30, 2008)\n\n                                                          Assessment of GPO\xe2\x80\x99s Transition Planning for\n                                                          Internet Protocol Version 6 (IPv6)\n\n                                                          F i n di ng\n4. Audit Report 08-10\n                                                          The OIG assessed Agency planning for transition\n(Issued September 11, 2008)\n                                                          from Internet Protocol version 4 (IPv4) to version 6\nDiversity Management Programs at GPO                      (IPv6). Internet routing protocols are used to exchange\n                                                          information across the Internet. Protocols are stan-\nF i n di ng\n                                                          dards that define how computer data are formatted\nThe OIG audited diversity management programs\n                                                          and received by other computers. IPv6 is a developing\nat GPO in response to a request from the Chairman\n                                                          Internet protocol that provides benefits such as more\nof the Subcommittee on Federal Workforce, Postal\n                                                          Internet addresses, higher qualities of service, and\nService, and the District of Columbia, of the House\n                                                          better authentication, data integrity, and data confi-\nof Representatives\xe2\x80\x99 Committee on Oversight and\n                                                          dentiality. The OIG assessment identified that GPO\nGovernment Reform. The audit identified that\n                                                          plans to transition to IPv6 as part of a broad acquisition\nalthough not mandated to comply with the guide-\n                                                          plan that will update its IT infrastructure. The Agency\nlines and directives of the Equal Employment\n                                                          has not finalized target dates for the updates. The OIG\nOpportunit y Commission (EEOC) concerning\n                                                          believes that the planned transition is an effective\nmodel affirmative action programs, before the\n                                                          long-term approach. In the short term, however, GPO\naudit was conducted senior officials at GPO began\n                                                          should consider implementing the minimum IPv6\nadopting some elements of both EEOC Management\n                                                          requirement, which should ensure that resources such\nDirective-715 (MD-715) and the leading diversity\n                                                          as FDsys are capable of ingesting information from\nmanagement practices GAO identified. The audit\n                                                          IPv6 sources.\nalso showed that opportunities exist for GPO to\ndevelop a more diverse population of qualified            R e c om m e n dat ion\n\nwomen and minorities in top leadership positions.         The OIG made two recommendations to management\n                                                          that would enhance planning for the IPv6 transition.\nR e c om m e n dat ion\nThe OIG made two recommendations in the report:           M a n ag e m e n t C om m e n t s\n\n(1) incorporate the remaining essential elements of       Management concurred with each recommendation\nMD-715, and (2) implement the nine leading prac-          and has either taken or planned to take responsive\ntices for diversity management GAO identified. Such       corrective actions.\nmodifications should help the Agency manage its           OIG C om m e n t s\nworkforce, create an environment that helps dimin-        One recommendation remains open. The recom-\nish barriers for protected groups, and help attract and   mendation remains open pending completion of\nretain capable employees from diverse backgrounds.        GPO\xe2\x80\x99s ongoing infrastructure refresh.\n\n\n                                                          S e m i a n n u a l r e p o r t t o c o n g r e ss           27\n\x0c     6. Assessment Report 09-01                               effectiveness of the program management process in\n     (Issued November 4, 2008)                                controlling risk. During the period this report covers,\n                                                              GPO launched a public beta version of FDsys contain-\n     Federal Digital System (FDsys) Independent\n                                                              ing a limited number of collections. This fourth quar-\n     Verification and Validation (IV&V) - Fourth\n                                                              terly report provides an overview of the key risks and\n     Quarter Report on Risk Management, Issues,\n                                                              issues identified by the FDsys IV&V team from April\n     and Traceability\n                                                              through June 2008, including security requirements\n     F i n di ng                                              and risk management.\n     The OIG contracted with American Systems, a com-         R e c om m e n dat ion\n     pany with significant experience in the realm of IV&V    The OIG made five recommendations to manage-\n     for Federal civilian and Defense agencies, to conduct    ment intended to further strengthen management\n     IV&V for the first public release of FDsys. As part of   of the FDsys program.\n     its contract, the contractor is assessing the state of\n                                                              M a n ag e m e n t C om m e n t s\n     program management, technical and testing plans,\n                                                              Management concurred with each recommendation\n     and other efforts related to this public release. The\n                                                              and proposed responsive corrective actions.\n     contractor is required to issue to the OIG a quarterly\n     Risk Management, Issues, and Traceability Report         OIG C om m e n t s\n     providing observations and recommendations on the        Three recommendations remain open. Management\n     program\xe2\x80\x99s technical, schedule and cost risks, as well    continues to work on implementing corrective actions\n     as requirements traceability of those risks and the      for these three remaining open recommendations.\n\n\n\n\n28   Off i c e o f I n s p e c t o r G e n e r a l\n\x0c7. Audit Report 09-02                                        8. Assessment Report 09-03\n(Issued December 22, 2008)                                   (Issued December 24, 2008)\n\nAudit of GPO\xe2\x80\x99s Passport Printing Costs                       Federal Digital System (FDsys) Independent\n                                                             Verification and Validation (IV&V) \xe2\x80\x93\nF i n di ng\n                                                             Fifth Quarter Report on Risk Management,\nGPO is the sole source for producing, storing, and\n                                                             Issues, and Traceability\ndelivering blank U.S. passport books (passports) for\nthe Department of State. During the first 8 months of        F i n di ng\nFY 2008, GPO produced 18.6 million passports and             This fifth quarterly report provides an overview of\nrealized revenue from passport sales of more than            the key risks and issues identified by the FDsys IV&V\n$275 million, including $71.5 million in net income.         team from July through September 2008, including\nThe OIG identified two specific areas where GPO              those related to the FDsys detail design, and system\ncan improve the accountability and transparency              integration testing as well as technical, schedule, and\nof its passport costing process to better prepare the        cost risks the program faces.\nAgency for any future audits or reviews by outside           R e c om m e n dat ion\nentities and promote good customer relations with            The OIG made 10 recommendations to management\nthe Department of State. First, through the May 2008         intended to further strengthen management of the\naudit time period, we found that GPO generated more          FDsys program.\nthan $43 million in excess cash from passport sales to\n                                                             M a n ag e m e n t C om m e n t s\nthe Department of State beyond what was necessary\n                                                             Management concurred with six of the recommen-\nto recover costs and provide for mutually agreed upon\n                                                             dations, partially concurred with one, and noncon-\nfuture capital expansion. That condition occurred\n                                                             curred with three. Management proposed responsive\nbecause GPO did not revise its original passport pric-\n                                                             corrective actions to six of the recommendations.\ning structure and did not reach final agreement with\n                                                             While we disagreed with management\xe2\x80\x99s position on\nthe Department of State on a capital investment plan\n                                                             the remaining four recommendations, we accepted\nto earmark the excess cash. We also found that GPO,\n                                                             management\xe2\x80\x99s proposed alternative corrective\nat its discretion, changed its indirect overhead cost\n                                                             actions.\nallocation methodology for passport costs without\ndocumenting the justification and analysis for the           OIG C om m e n t s\n\nchange. As a result, the Agency increased the amount         Four recommendations remain open. Management\nof indirect overhead allocated to passport costs from        continues to take responsive actions to implement\n5.65 percent, or $4 million, in FY 2007, to 52 percent,      the four recommendations.\nor $40 million, through May 2008.\n                                                             9. Assessment Report 09-04\nR e c om m e n dat ion                                       (Issued December 24, 2008)\nThe OIG made five recommendations to manage-\n                                                             Federal Digital System (FDsys) Independent\nment to help GPO improve the accountability and\n                                                             Verification and Validation (IV&V) \xe2\x80\x93 Security\ntransparency of its passport costing process.\n                                                             Analysis Report\nM a n ag e m e n t C om m e n t s\nManagement concurred with each recommendation                F i n di ng\nand proposed responsive corrective actions                   This report provides an overview of key risks and\n                                                             issues identified by the FDsys IV&V team as a result\nOIG C om m e n t s\n                                                             of their review of the revised FDsys system security\nOne recommendation remains open. Management is in\n                                                             plan. The IV&V team concluded that the revised\nthe process of revising indirect cost rates. We anticipate\n                                                             system security plan was a greatly improved docu-\nclosure of this recommendation upon implementation\n                                                             ment reflecting a positive effort to include relevant\nof the revised rates.\n\n\n\n\n                                                             S e m i a n n u a l r e p o r t t o c o n g r e ss        29\n\x0c     security controls. However, the IV&V team con-           11. Assessment Report 09-12\n     cluded that the revised systems security plan did        (Issued September 30, 2009)\n     not adequately detail the security controls in place,\n                                                              Federal Digital System (FDsys) Independent\n     or those planned to be in place for the protection\n                                                              Verification and Validation (IV&V) \xe2\x80\x93 Seventh\n     of confidentiality, integrity, and availability of the\n                                                              Quarter Report on Risk Management, Issues,\n     systems data and associated resources.\n                                                              and Traceability\n     R e c om m e n dat ion\n     The OIG made five recommendations intended to            F i n di ng\n\n     strengthen FDsys system security planning and            This seventh quarterly report, for the period January\n     implementation.                                          1, 2009, through May 8, 2009, identifies critical tech-\n                                                              nical, schedule, and cost risks for the FDsys Program.\n     M a n ag e m e n t C om m e n t s\n                                                              The report provides a high-level overview of the key\n     Management concurred with each recommendation\n                                                              risks and issues that IV&V identified during the\n     and proposed responsive corrective actions.\n                                                              reporting period. The report also discusses IV&V\n     OIG C om m e n t s                                       assessments covering FDsys security and the state\n     Three recommendations remain open. Management            of program activities required for deployment per-\n     continues to take responsive actions to implement        formed over the same time period.\n     the three recommendations.\n                                                              R e c om m e n dat ion\n     10. Assessment Report 09-07                              The OIG made 25 recommendations designed to\n     (Issued March 20, 2009)                                  strengthen FDsys program management, particu-\n                                                              larly for future FDsys releases.\n     Federal Digital System (FDsys) Independent\n                                                              M a n ag e m e n t C om m e n t s\n     Verification and Validation (IV&V) \xe2\x80\x93\n                                                              Management generally concurred with each recom-\n     Sixth Quarter Report on Risk Management,\n                                                              mendation with the exception of one and proposed\n     Issues, and Traceability\n                                                              responsive corrective actions for each.\n     F i n di ng\n                                                              OIG C om m e n t s\n     This sixth quarterly report provides an overview of\n                                                              A total of 23 recommendations remain open. The OIG\n     the key risks and issues identified by the FDsys IV&V\n                                                              and IV&V team continue to monitor the status of their\n     team from October 2008 through January 9, 2009,\n                                                              implementation.\n     including security and the state of program activities\n     required for deployment as well as technical, sched-     12. Audit Report 09-13\n     ule, and cost risks.                                     (Issued September 30, 2009)\n     R e c om m e n dat ion                                   Accounts Payable Service Billings\n     The OIG made four recommendations intended to fur-\n     ther strengthen management of the FDsys program.         F i n di ng\n                                                              The OIG conducted an audit that evaluated GPO\xe2\x80\x99s\n     M a n ag e m e n t C om m e n t s\n                                                              processes and procedures for invoice payment. The\n     Management concurred with each recommendation\n                                                              audit found that controls over accounts payable,\n     and proposed responsive corrective actions.\n                                                              including the processes and procedures for track-\n     OIG C om m e n t s                                       ing vendor invoices from receipt through payment,\n     Three recommendations remain open. Management            can be further strengthened and more consistently\n     continues to take responsive actions to implement        followed. In addition, complete audit trails support-\n     the three recommendations.                               ing transactions in the Agency\xe2\x80\x99s accounts payable\n\n\n\n\n30   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cTable of Open Recommendations\n                                                                 Number of Open                  Number of\n   Audit\n                                                                Recommendations               Months Open\n\n\n   06-02 GPO Network Vulnerability Assessment                                     2                        48\n\n\n\n   07-09 GPO\xe2\x80\x99s Compliance with the Federal Information\n                                                                                  7                        30\n   Security Management Act\n\n\n   08-06 Operating System Security for GPO\xe2\x80\x99s Passport\n                                                                                  1                        24\n   Printing and Production System\n\n\n\n   08-10 Diversity Management Programs at GPO                                     2                        18\n\n\n\n   08-12 Assessment of GPO\xe2\x80\x99s Transition Planning for\n                                                                                  1                        18\n   Internet Protocol Version 6 (IPv6)\n\n\n   09-01 Federal Digital System (FDsys) Independent\n   Verification and Validation (IV&V) - Fourth Quarter Report                     3                        16\n   on Risk Management, Issues, and Traceability\n\n\n   09-02 GPO\xe2\x80\x99s Passport Printing Costs                                            1                        15\n\n\n\n   09-03 FDsys IV&V \xe2\x80\x93 Fifth Quarter Report on Risk Man-\n                                                                                  4                        15\n   agement, Issues, and Traceability\n\n\n\n   09-04 FDsys IV&V \xe2\x80\x93 Security Analysis Report                                    3                        15\n\n\n\n   09-07 FDsys IV&V \xe2\x80\x93 Sixth Quarter Report on Risk Man-\n                                                                                  3                        15\n   agement, Issues, and Traceability\n\n\n   09-12 Federal Digital System (FDsys) Independent Veri-\n   fication and Validation (IV&V) \xe2\x80\x93 Seventh Quarter Report                       23                         6\n   on Risk Management, Issues, and Traceability\n\n\n   09-13 Accounts Payable Service Billings                                        1                         6\n\n\n\n\n   09-14 GPO Workers\xe2\x80\x99 Compensation Program                                        1                         6\n\n\n\n\n   Total                                                                         52\n\n\n\n\n                                                                S e m i a n n u a l r e p o r t t o c o n g r e ss   31\n\x0c     systems did not always exist. Specific weaknesses        amount of billings from the Department of Labor for\n     identified during transaction testing included           the cost of workers\xe2\x80\x99 compensation benefits paid on\n     missing end-user approvals, missing support for          GPO\xe2\x80\x99s behalf decreased to less than $6 million dur-\n     Contracting Officer payment authorization, no evi-       ing FY 2007. In addition, the total number of GPO\n     dence of invoice examination and certification, and      workers\xe2\x80\x99 compensation claimants decreased from\n     hard copy invoice data that could not be reconciled      193 in 2002 to 136 in 2008. The audit identified several\n     to the accounts payable system. As a result, there       areas where procedural and policy improvements\n     was no assurance that management controls were           could be made to further enhance and strengthen\n     operating effectively, which could have resulted in      the Workers\xe2\x80\x99 Compensation Program.\n     a potential misstatement of monthly and annual           R e c om m e n dat ion\n     financial information.                                   The OIG made two recommendations to manage-\n     R e c om m e n dat ion                                   ment designed to ensure that the program continues\n     The OIG made two recommendations to GPO man-             to be operated in an efficient and effective manner.\n     agement to help improve controls over accounts           M a n ag e m e n t C om m e n t s\n     payable service billings, and specifically, GPO\xe2\x80\x99s pro-   Management generally concurred with the recom-\n     cesses and procedures for invoice payment.               mendations and agreed to take responsive corrective\n     M a n ag e m e n t C om m e n t s                        actions or alternative actions to address the issues\n     GPO Management concurred with each recommen-             identified.\n     dation and proposed responsive corrective actions.       OIG C om m e n t s\n     OIG C om m e n t s                                       One recommendation remains open. The rec-\n     One recommendation remains open. Management is           ommendation should be closed during the next\n     in the process of completing standard operating proce-   reporting period.\n     dures for receiving, processing, and disbursing vendor\n     invoices for payment. The recommendation should be\n     completed and closed during the next reporting period.\n\n     13. Audit Report 09-14\n     (Issued September 30, 2009)\n\n     GPO Workers\xe2\x80\x99 Compensation Program\n\n     F i n di ng\n     The OIG completed an audit of GPO\xe2\x80\x99s Workers\xe2\x80\x99\n     Compensation Program to determine whether GPO\xe2\x80\x99s\n     program was complying with appropriate Federal\n     guidelines, regulations, and directives related to\n     worker\xe2\x80\x99s compensation, and GPO employee claims\n     for worker\xe2\x80\x99s compensation are supported by required\n     documentation. The audit identified that GPO\xe2\x80\x99s OWC\n     should be commended for improvements in both\n     the organization and management of this program.\n     Since a previous OIG audit in 2002, controls over the\n     GPO Workers\xe2\x80\x99 Compensation Program have been\n     strengthened and the program has undergone sig-\n     nificant changes. The audit found that the overall\n\n\n\n\n32   Off i c e o f I n s p e c t o r G e n e r a l\n\x0coffice of\ni n v e s t i g at i o n s\n\n\n\n\nO\n           I conducts and coordinates investigative activity related\n           to fraud, waste, and abuse in GPO programs and opera-\n           tions. While concentrating our efforts and resources on\nmajor fraud investigations, the activities investigated can include\npossible wrongdoing by GPO contractors, employees, program\nparticipants, and others who commit crimes against GPO. Special\nAgents in OI are Federal Criminal Investigators (general sched-\nule job series 1811) and are designated as Special Police Officers.\nInvestigations that uncover violations of Federal law or GPO rules\nor regulations may result in administrative sanctions, civil action,\nand/or criminal prosecution. Prosecutions may result in court-\nimposed prison terms, probation, fines, or restitution. OI may also\nissue Management Implication Reports (MIRs), which identify\nissues uncovered during an investigation it believes warrant man-\nagement\xe2\x80\x99s prompt attention.\n     OI is responsible for investigations at all GPO locations, including\nthe 15 GPO Regional Printing Procurement Offices (RPPOs) nation-\nwide. OI also maintains a continuing liaison with the GPO Security\nServices and Uniform Police Branch, to coordinate efforts impacting\nthese law enforcement programs. Liaison is also maintained with the\nDepartment of Justice, the National Procurement Fraud Task Force,\nand other investigative agencies and organizations.\n\n\nA . Summary of Inve stigative Activit y\nAt the end of last reporting period, 24 complaints were open. OI opened\n26 new complaint files this period, 11 complaints were converted to\nfull investigations, and 8 were closed after preliminary review with no\naction. Additionally, eight complaints were referred to GPO manage-\nment and one to another agency. At the end of the reporting period,\n22 complaints were open.\n      At the end of the last reporting period, 38 investigations were\nopen. During this reporting period, 15 investigations were closed,\n7 of which resulted in referrals to GPO management for potential\n\n\n\n\n                 S e m i a n n u a l r e p o r t t o c o n g r e ss         33\n\x0c     administrative action. Ongoing at the end of this          violations, gambling, and travel voucher fraud. OI\n     reporting period are 33 investigations.                    has seven open investigations, and five preliminary\n           During this reporting period, we made seven          complaints, involving alleged employee misconduct.\n     presentations to the Department of Justice for poten-\n     tial criminal prosecutions. Each of those presenta-        Other Investigations\n     tions resulted in declinations, and those cases will       OI conducts other types of investigations that do not\n     now be pursued civilly and/or administratively. No         fall into one of the categories above. Examples of such\n     formal presentations were made for civil purposes          investigations include theft of Government property,\n     during this reporting period.                              illegal hacking, or requests for investigations by other\n           Multiple investigations are being conducted in       legislative agencies. OI has two open investigative\n     coordination with the Department of Justice, includ-       matters involving these types of allegations.\n     ing its Antitrust Division. Twelve IG subpoenas were\n     issued during this period. Documents requested\n     included financial records, bid preparations, and\n     agreements among contractors and/or affiliated\n     companies.\n\n\n     B. T ype s of Ca se s\n     Procurement Fraud\n     OI seeks to uncover any wrongdoing by GPO contrac-\n     tors or employees during administration of GPO con-\n     tracts. Violations can include false statements, false\n     claims, kickbacks, product substitution, collusive bid-\n     ding, bribery, and financial conflicts of interest. In\n     FY 2009, GPO procured over $675 million in goods\n     and services. With such vulnerability in mind, OI has\n     focused much investigative development to the area\n     of procurement fraud. The inventory of procurement\n     fraud complaints/investigations has increased to 23\n     open procurement fraud investigations today, or 64\n     percent of our active caseload. Including allegations in\n     complaint status, OI has 31 open procurement matters.\n\n     Workers\xe2\x80\x99 Compensation Fraud\n     OI investigates GPO employees who allegedly sub-\n     mit false claims or make false statements to receive\n     workers\xe2\x80\x99 compensation benefits. We are working on\n     five investigative matters (complaints and investiga-\n     tions) involving possible fraudulent claims for work-\n     ers\xe2\x80\x99 compensation.\n\n     Employee Misconduct\n     OI investigates allegations involving GPO employee\n     misconduct. Allegations generally include false\n     statements, theft of Government property or funds,\n     assaults, misuse of Government computers, drug\n\n\n34   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cC. Summary of Inve stigative\nAccomplishments\nCriminal and Civil Cases\n\xe2\x80\xa2\tAn OI investigation found evidence of a GPO print-\n  ing contractor who failed to comply with critical\n  contract specifications throughout the perfor-\n  mance period. Under GPO contract terms, Pub-\n  lication 310.2, Clause 24(b), submission of any\n  invoice for work completed under a GPO contract\n  is a certification that the work was completed in\n  accordance with contract terms. The contractor\n  submitted at least 10 invoices to GPO. GPO sus-\n  pended and proposed debarment of the company\n  and the company\xe2\x80\x99s officers from doing business               over billed GPO approximately $499,000. Settlement\n  with GPO as a contractor, subcontractor, or con-             discussions continue.\n  tractor\xe2\x80\x99s representative. We previously reported\n  that this matter was accepted for action by the\n                                                             Internal Administrative Cases\n  Department of Justice and a Civil Demand Letter\n  was issued to the contractor. Negotiations toward          \xe2\x80\xa2\tOI investigated allegations that a GPO employee\n  civil settlement continue.                                   used or attempted to use her position for personal\n                                                               financial gain and to benefit close friends. This\n\xe2\x80\xa2\tOI is conducting an investigation into allegations of\n                                                               joint investigation with the Department of Justice\n  false statements, false claims, forgery, and/or bid col-\n                                                               Public Integrity Section included numerous inter-\n  lusion by GPO print vendors. OI has the assistance of\n                                                               views, records reviews, and analysis by an inde-\n  the Department of Justice Antitrust Division, which\n                                                               pendent subject matter expert. The Department\n  is evaluating the case for possible criminal and/or\n                                                               of Justice declined prosecution and the investiga-\n  civil action.\n                                                               tive results were referred to management. Man-\n\xe2\x80\xa2\tOI continues an investigation of allegations relat-          agement proposed terminating the employee.\n  ing to false statements and/or false claims to               Further details will be reported when final action\n  GPO. OI is coordinating this investigation with              takes place.\n  the Department of Justice Antitrust Division. The\n                                                             \xe2\x80\xa2\tOI investigated disposition of 18 laptop/portable\n  Department of Justice continues to evaluate this\n                                                               computers identified as missing from an IT&S\n  case for possible criminal and/or civil action.\n                                                               storage area at the GPO headquarters building.\n\xe2\x80\xa2\tInvestigation of a printing contractor determined            OI reported to management that as a result of the\n  GPO paid more than $175,000 after the company                lack of security and inventory controls in IT&S, in\n  submitted delivery receipts and invoiced for pay-            conjunction with general disregard for property\n  ment, but failed to perform according to specifica-          management controls outlined in GPO Directive\n  tions and did not deliver all products. Though the           810.11B, OI was unable to determine the final dis-\n  Department of Justice declined criminal prosecu-             position of 18 missing laptops. The findings of the\n  tion, the investigation continues toward possible            investigation were referred to OAI, which initiated\n  civil and administrative resolution.                         an audit of IT&S property management protocols.\n\xe2\x80\xa2\t We previously reported that an OI investigation of          Specific recommendations will be outlined as part\n   over-billing by a GPO print contractor was accepted         of the final audit report.\n   for potential civil action by the Department of Jus-      \xe2\x80\xa2\tAn OI investigation disclosed evidence that GPO\n   tice. Investigation determined that from February           employees failed to provide truthful information dur-\n   2002 until February 2004 the company President              ing an administrative investigation conducted by the\n\n\n                                                             S e m i a n n u a l r e p o r t t o c o n g r e ss        35\n\x0c       GPO HC Office. The Department of Justice declined          referred the report of investigation to management\n       the matter for prosecution and the OI referred it to       for consideration of administrative action and addi-\n       management for action. During this period, at the          tional employee training in zero violence, EEO, and\n       request of GPO Office of General Counsel (OGC), OI         harassment.\n       agents sought affidavits from witnesses, confirming      \xe2\x80\xa2\tAn investigation was initiated after OI learned\n       written reports of their earlier verbal statements. We     a former GPO employee used an official Gov-\n       previously reported that GPO issued notices of intent      ernment travel card to make inappropriate pur-\n       to terminate from employment four employees and            chases. Investigation determined the former\n       placed them on administrative leave. Three of the          employee, who made no official trips, owed\n       employees retired after receiving notice of termina-       Citibank approximately $4,989 for purchases at\n       tion and the fourth received a 30-day suspension and       retail stores such as Marshalls, Macys, Target, and\n       demotion. Further details will be reported when all        Walmart. The former employee was able to make\n       actions are finalized.                                     these purchases because automatic and appro-\n     \xe2\x80\xa2\tThe Uniform Police Branch referred allegations of          priate travel card purchasing limitations were\n       a possible physical assault of a GPO contractor by         not in place. Because the government is not liable\n       a GPO employee and provided video surveillance             for the former employee\xe2\x80\x99s non-payment and debt\n       footage of the alleged incident. OI reviewed the           collection options are still available, this matter\n       video and interviewed those involved. The facts of         was not referred to the Department of Justice. The\n       the case were presented to the Department of Justice       results of this investigation were referred to the\n       and declined for criminal prosecution. We recently         GPO management for appropriate action. GPO\n\n\n\n\n36   Off i c e o f I n s p e c t o r G e n e r a l\n\x0c  now has appropriate purchasing limitations in\n  place for all GPO travel cards.\n\xe2\x80\xa2\tOI investigated allegations of a GPO employee on\n  workers\xe2\x80\x99 compensation alleged to have provided\n  landscaping services without declaring the income\n  as required by the Department of Labor\xe2\x80\x99s Office of\n  Workers\xe2\x80\x99 Compensation Programs. Although our\n  investigation determined the employee was mow-\n  ing lawns for a fee, we could not determine the spe-\n  cific time frames of when these services were pro-\n  vided or how much money was earned. As a result,\n  neither the Department of Labor nor the Depart-\n  ment of Justice pursued recovery action against the\n  individual. Our report of investigation was referred\n  to the Department of Labor and the Chief, Workers\xe2\x80\x99\n  Compensation Services for GPO. The Department             HC Office personnel during a recent OPM evalu-\n  of Labor indicated they intend to request a second        ation of GPO\xe2\x80\x99s competitive examining author-\n  opinion medical evaluation to determine if the ini-       ity exercised under a delegation agreement with\n  tial injury is still active.                              OPM. OPM presented findings to management\n                                                            and representatives of the OIG. A written report\n\xe2\x80\xa2\tOI received allegations that an employee was using\n                                                            is expected.\n  GPO equipment to copy and sell digital video discs\n  (DVDs) during work hours. The employee admit-\n  ted that for approximately the last 3 years he has      External Administrative Cases\n  sold from 75 to 100 illegally copied movies for about\n                                                          \xe2\x80\xa2\tResults of an OI investigation were referred to\n  $5 per copy to GPO employees but denied using\n                                                            management for consideration of suspension/\n  GPO equipment to make copies of the movies. We\n                                                            debarment of a printing contractor and its offi-\n  found no evidence to support the allegation he was\n                                                            cers/owners. The investigation was initiated based\n  using GPO equipment to make illegal copies of mov-\n                                                            on allegations that a GPO contractor submitted a\n  ies. The Department of Justice declined criminal\n                                                            fraudulent shipping receipt and invoice to GPO\n  prosecution and the OI referred to management for\n                                                            for payment. Our investigation revealed that in\n  action. Though action is not final, a 3-day suspen-\n                                                            2008 the company shipped a product with a short-\n  sion was proposed.\n                                                            age valued at approximately $6,547, yet billed GPO\n\xe2\x80\xa2\tOI investigated allegations that a GPO employee           the full value of $23,000. Investigation also deter-\n  threatened a co-worker. He was suspended from             mined the contractor may have acted as a broker\n  employment when OI reported facts surrounding             and likely subcontracted part of the predominant\n  charges against him for domestic violence. Fur-           function to another company in violation of GPO\n  ther investigation by OI revealed other instances         contract terms.\n  of misconduct. Interviews revealed that since at\n                                                          \xe2\x80\xa2\tAn OI investigation of a GPO contractor for alleged\n  least 2006, the employee engaged in threatening\n                                                            submission of fraudulent shipping receipts and\n  and unprofessional conduct both with his super-\n                                                            invoices resulted in the referral of investigative\n  visors and co-workers. Results of OI\xe2\x80\x99s investiga-\n                                                            results to GPO management for further review and\n  tion were forwarded in support of agency pro-\n                                                            action. Investigation revealed testimony that the\n  posed action. The employee resigned while on\n                                                            contractor shorted one shipment yet billed in full,\n  indefinite suspension.\n                                                            substituted higher quality proofs with lower qual-\n\xe2\x80\xa2\tOI assisted OPM by conducting interviews of GPO\n\n\n\n                                                          S e m i a n n u a l r e p o r t t o c o n g r e ss       37\n\x0c       ity proofs, and attempted to invoice for overnight            tive staff, including managers of OI, held produc-\n       shipping despite their shipping the proofs through            tive meetings with the GPO Acquisitions Services.\n       regular mail. Two contracts were subsequently                 At the invitation of the Director of Acquisitions Ser-\n       modified and discounted and the third was can-                vices, OI provided a Procurement Fraud Presenta-\n       celled by the customer agency for unrelated rea-              tion to staff members.\n       sons. Due to the low dollar value, this matter was          \xe2\x80\xa2\t Future activities are planned with Acquisitions\n       not referred to the Department of Justice.                     Services, including a more detailed question and\n     \xe2\x80\xa2\tOI investigated allegations of a violation of the Buy          answer session concerning detection of fraud. A\n       American Act by a GPO contractor. A GPO RPPO                   joint quality assurance field visit for purposes of\n       reported the contractor shipped his product from               OI training is also anticipated.\n       Canada on two occasions. Research revealed the              \xe2\x80\xa2\tOI attended the Print Procurement Managers\xe2\x80\x99\n       contractor had only been awarded two small con-               meeting, with contracting supervisors from head-\n       tracts. When contacted by OI, the contractor admit-           quarters and RPPOs, and responded to questions\n       ted his company had no facilities in the United States        concerning reporting fraud allegations to the OIG.\n       and would be ineligible for further awards. These\n                                                                   \xe2\x80\xa2\tOI monitored GPO\xe2\x80\x99s significant progress toward\n       investigative results were referred to the GPO Manag-\n                                                                     implementation of OI MIR recommendations\n       ing Director of Print Procurement and OGC for their\n                                                                     relating to GPO contractors and security of PII and\n       information.\n                                                                     the Publication of House Document 111-37 on U.S.\n     \xe2\x80\xa2\tOI referred information to the GPO Deputy Manager,            Nuclear Sites.\n       Director of Publications and Information Sales, after\n                                                                   \xe2\x80\xa2\tOI and OAI continue to strategize concerning pos-\n       an investigation determined that, between July 2006\n                                                                     sible proactive initiatives for detecting fraud within\n       and May 2009, a GPO customer submitted 53 checks\n                                                                     GPO. One such future initiative may involve recur-\n       to GPO totaling approximately $5,611 not honored\n                                                                     ring allegations of product substitution on GPO con-\n       by GPO\xe2\x80\x99s banking institution because of insufficient\n                                                                     tracts, particularly in the area of paper specifications.\n       funds. Though employees in GPO\xe2\x80\x99s Publication Sales\n       Program were instructed to screen sales orders from         \xe2\x80\xa2\tTwo OI criminal investigators have elected to seek\n       the subject company, checks continued to be sub-              their designations as Certified Fraud Examiners.\n       mitted and returned. Though both civil and criminal\n       remedies and penalties exist for passing bad checks,\n       no referral was made to the Department of Justice for\n       prosecution because of GPO\xe2\x80\x99s lack of internal con-\n       trols. The results of this investigation were referred to\n       GPO management, with suggested process improve-\n       ments.\n\n\n     D. Other Significant Activitie s\n     While OI investigative resources were primarily\n     deployed in response to reported reactive matters\n     represented above, we continue other aggressive\n     efforts to improve our abilities to detect, prevent,\n     and investigate the loss of Government assets. The\n     following summarizes other significant activities\n     occurring in OI:\n     \xe2\x80\xa2\t During this reporting period, the IG and his execu-\n\n\n\n38   Off i c e o f I n s p e c t o r G e n e r a l\n\x0ca ppen di x\n\n\n\n\nAPPENDIX A\nGlossary and Acronyms\n\nGlossary\nAllowable Cost - A cost necessary and reasonable for the proper and\n     efficient administration of a program or activity.\nChange in Management Decision - An approved change in the origi-\n     nally agreed-upon corrective action necessary to resolve an IG\n     recommendation.\nDisallowed Cost - A questionable cost arising from an IG audit or\n     inspection that management decides should not be charged to\n     the Government.\nDisposition - An action that occurs from management\xe2\x80\x99s full imple-\n     mentation of the agreed-upon corrective action and identifi-\n     cation of monetary benefits achieved (subject to IG review and\n     approval).\nFinal Management Decision - A decision rendered by the GPO\n     Resolution Official when the IG and the responsible GPO man-\n     ager are unable to agree on resolving a recommendation.\nFinding - Statement of problem identified during an audit or inspec-\n     tion typically having a condition, cause, and effect.\nFollow-up - The process that ensures prompt and responsive action\n     once resolution is reached on an IG recommendation.\nFunds Put To Better Use - An IG recommendation that funds could be\n     used more efficiently if management took actions to implement\n     and complete the audit or inspection recommendation.\nManagement Decision - An agreement between the IG and man-\n     agement on the actions taken or to be taken to resolve a recom-\n     mendation. The agreement may include an agreed-upon dollar\n     amount affecting the recommendation and an estimated com-\n     pletion date unless all corrective action is completed by the time\n     agreement is reached.\nManagement Implication Report - A report to management issued\n\n\n\n\n                 S e m i a n n u a l r e p o r t t o c o n g r e ss       39\n\x0c         during or at the completion of an investigation identifying systemic prob-\n         lems or advising management of significant issues that require immedi-\n         ate attention.\n     Material Weakness - A significant deficiency, or combination of signifi-\n         cant deficiencies, that results in more than a remote likelihood that\n         a material misstatement of the financial statements will not be pre-\n         vented or detected.\n     Questioned Cost - A cost the IG questions because of an alleged violation of a\n         law, regulation, contract, cooperative agreement, or other document gov-\n         erning the expenditure of funds; such cost is not supported by adequate\n         documentation; or the expenditure of funds for the intended purposes\n         was determined by the IG to be unnecessary or unreasonable.\n     Recommendation - Actions needed to correct or eliminate recurrence of the\n         cause of the finding identified by the IG to take advantage of an opportunity.\n     Resolution - An agreement reached between the IG and management on the\n         corrective action or upon rendering a final management decision by the\n         GPO Resolution Official.\n     Resolution Official - The GPO Resolution Official is the Deputy Public Printer.\n     Resolved Audit/Inspection - A report containing recommendations that have\n         all been resolved without exception, but have not yet been implemented.\n     Unsupported Costs - Questioned costs not supported by adequate documentation.\n\n\n\n\n40   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cAbbre viations and Acronyms\nAICPA\tAmerican Institute of Certified Public\n         Accountants                            PPPS\tPassport Printing and Production\n                                                      System\nCIGIE\tCouncil of Inspectors General on\n                                                PTR\tProblem Tracking Report\n         Integrity and Efficiency\n                                                PURL\tPersistent Uniform Resource Locator\nCIO\tChief Information Officer\n                                                RPPO\tRegional Printing Procurement Office\nCPS\tCertification Practices Statement\n                                                SAS\t  Statement on Auditing Standards\nCOA\tContinuity of Access\n                                                SCC\t  Secure Credential Center\nCOOP\tContinuity of Operations\n                                                SID\t  Security and Intelligent Documents\nCOTR\tCont ract i ng Of f icer\xe2\x80\x99s Tech n ica l\n         Representative                         SPF\t  Secure Production Facility\nDHS/CPB\t Department of Homeland Security/       SSP\t  Shared Service Provider\n         Customs and Border Patrol              TTP\tTrusted Traveler Program\nFDsys\t   Federal Digital System\nEEOC\tEqual Employ ment Opportunit y\n         Commission\nFISMA\t   Federal Information Security\n         Management Act\nFY\t      Fiscal Year\nGAO\tGovernment Accountability Office\nGBIS\tGPO\xe2\x80\x99s Business Information System\nGPO\tU.S. Government Printing Office\nHSPD-12\t Homeland Security Presidential\n         Directive-12\nICAO\tInternational Civil Aviation\n         Organization\nIG \tInspector General\nIPA\tIndependent Public Accountant\nIPv6\tInternet Protocol version 6\nIT\tInformation Technology\nIT&S\tInformation Technology and Systems\nIV&V\tIndependent Verification and\n         Validation\nMIR\tManagement Implication Report\nOA\tOrganization Architects\nOALC\tOf f ice of Ad m i n ist rat ion/L ega l\n         Counsel\nOAI\tOffice of Audits and Inspections\nOGC\tOffice of General Counsel\nOI\tOffice of Investigations\nOIG\tOffice of Inspector General\nOMB\tOffice of Management and Budget\nOPM\tOffice of Personnel Management\nOWC\tOffice of Workers\xe2\x80\x99 Compensation\nPII\tPersonally Identifiable Information\nPKI\tPublic Key Infrastructure\nPO\tPrivacy Officer\n\n\n\n\n                                                S e m i a n n u a l r e p o r t t o c o n g r e ss   41\n\x0c     APPENDIX B\n     Inspector General Act Reporting Requirements\n\n         Inspector General                                                                Cross-Reference\n                                 Requirement Definition\n         (IG) Act Citation                                                                 Page Number(s)\n\n\n\n         Section 4(a)(2)        Review of Legislation and Regulations                                  8\n\n\n\n\n         Section 5(a)(1)        Significant Problems, Abuses, and Deficiencies                      21\xe2\x80\x9332\n\n\n\n\n         Section 5(a)(2)        Recommendations for Corrective Actions                              21\xe2\x80\x9325\n\n\n\n\n         Section 5(a)(3)        Prior Audit Recommendations Not Yet Implemented                     25\xe2\x80\x9332\n\n\n\n\n         Section 5(a)(4)        Matters Referred to Prosecutorial Authorities                       35\xe2\x80\x9338\n\n\n\n\n         Section 5(a)(5)        Summary of Refusals to Provide Information                            n/a\n\n\n\n                                OIG Audit and Inspection Reports Issued (includes total\n         Sections 5(a)(6) and\n                                dollar values of Questioned Costs, Unsupported Costs,               21\xe2\x80\x9325\n         5(a)(7)\n                                and Recommendations that Funds Be Put To Better Use)\n\n\n                                Statistical table showing the total number of audit\n         Section 5(a)(8)                                                                               43\n                                reports and the total dollar value of questioned costs\n\n\n                                Statistical table showing the total number of audit\n         Section 5(a)(9)        reports and the dollar value of recommendations that                   44\n                                funds be put to better use\n\n\n                                Summary of prior Audit and Inspection Reports issued\n         Section 5(a)(10)                                                                             n/a\n                                for which no management decision has been made\n\n\n\n                                Description and explanation of significant revised man-\n         Section 5(a)(11)                                                                             n/a\n                                agement decision\n\n\n\n                                Significant management decision with which the IG is in\n         Section 5(a)(12)                                                                             n/a\n                                disagreement\n\n\n\n\n42   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cAPPENDIX C\nStatistical Reports\nTable C-1: Audit Reports With Questioned and Unsupported Costs\n\n\n                                               Questioned     Unsupported\n    Description                                                                              Total\n                                                   Costs               Costs\n\n\n    Reports for which no management decision\n    made by beginning of reporting period              $0                  $0                    $0\n\n\n\n\n    Reports issued during reporting period             $0                  $0                    $0\n\n\n\n\n    Subtotals                                          $0                  $0                    $0\n\n\n\n\n    Reports for which a management decision\n    made during reporting period\n    \xe2\x80\x83 1. Dollar value of disallowed costs              $0                  $0                    $0\n    \xe2\x80\x83 2. Dollar value of allowed costs                 $0                  $0                    $0\n\n\n\n\n    Reports for which no management decision\n                                                                           $0\n    made by end of reporting period                    $0                                        $0\n\n\n\n    Reports for which no management decision\n    made within 6 months of issuance                   $0                  $0                    $0\n\n\n\n\n                                                      S e m i a n n u a l r e p o r t t o c o n g r e ss   43\n\x0c     Table C-2 : Audit Reports With Recommendations That Funds\n     Be Put to Better Use\n\n\n                                              Number of   Funds Put To\n         Description\n                                               Reports     Better Use\n\n\n\n\n         Reports for which no management\n         decision made by beginning of\n                                                      0             $0\n         reporting period\n\n\n\n\n         Reports issued during the\n                                                      0             $0\n         reporting period\n\n\n\n\n         Reports for which a management\n         decision made during reporting\n         period\n         \xe2\x80\xa2 \x07Dollar value of recommendations           0             $0\n            agreed to by management\n         \xe2\x80\xa2 \x07Dollar value of recommendations           0             $0\n            not agreed to by management\n\n\n\n\n         Reports for which no management\n         decision made by the end of the\n                                                      0             $0\n         reporting period\n\n\n\n\n         Report for which no management\n         decision made within 6 months of\n                                                      0             $0\n         issuance\n\n\n\n\n44   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cTable C-3 : List of Audit and Inspection Reports Issued\nDuring Reporting Period\n\n\n                                                            Funds Put To\n    Reports\n                                                             Better Use\n\n\n\n    Report on Federal Digital System (Fdsys) Independent\n    Verification and Validation \xe2\x80\x93 Ninth Quarter Report on\n    Risk Management, Issues, and Traceability\n    (Assessment Report 10-01, issued December 2, 2009)                 $0\n\n\n\n\n    Report on the Consolidated Financial Statement Audit\n    of the GPO for the FYs Ended September 30, 2009\n    and 2008 (Audit Report 10-02, issued January 8, 2010)              $0\n\n\n\n\n    Report on GPO\xe2\x80\x99s Compliance with the Federal Infor-\n    mation Security Management Act (Assessment Report\n    10-03, issued January 12, 2010)                                    $0\n\n\n\n\n    Report on Assessment of GPO Network Vulnerability\n    Management (Assessment Report 10-04, issued\n    January 19, 2010)                                                  $0\n\n\n\n\n    Report on Federal Digital System (Fdsys) Independent\n    Verification and Validation \xe2\x80\x93 Tenth Quarter Report on\n    Risk Management, Issues, and Traceability\n                                                                       $0\n    (Assessment Report 10-05, issued March 24, 2010)\n\n\n\n\n    Report on Audit of Security of GPO\xe2\x80\x99s e-Passport\n    Supply Chain (Audit Report 10-06, issued\n    March 31, 2010)                                                    $0\n\n\n\n\n    Total                                                              $0\n\n\n\n\n                                                             S e m i a n n u a l r e p o r t t o c o n g r e ss   45\n\x0c     Table C-4 : Investigations Case Summary\n\n\n         Total New Hotline/Other Allegations Received during\n         Reporting Period                                      42\n\n\n\n         No Formal Investigative Action Required               14\n\n\n\n         Investigations Opened by OI during Reporting          10\n         Period\n\n\n         Investigations Open at Beginning of                   38\n         Reporting Period\n\n\n         Investigations Closed during Reporting Period         15\n\n\n\n         Investigations Open at End of Reporting Period        33\n\n\n\n         Referrals to GPO Management                           15\n\n\n\n         Referrals to Other Agencies                            5\n\n\n\n         Referrals to OAI                                       0\n\n\n\n\n46   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cCurrent Open Investigations by Allegation            33\n\n\n\nProcurement Fraud                                    21             64%\n\n\n\nEmployee Misconduct                                   7             21%\n\n\n\nWorkers\xe2\x80\x99 Compensation Fraud                           3             9%\n\n\n\nOther Investigations                                  2             6%\n\n\n\n\n                                            \xe2\x96\xa0\xe2\x96\xa0\xe2\x80\x82 Procurement   Fraud\n                                            \xe2\x96\xa0\xe2\x96\xa0\xe2\x80\x82 Employee  Misconduct\n                                            \xe2\x96\xa0\xe2\x96\xa0\xe2\x80\x82 Workers\xe2\x80\x99 Compensation Fraud\n\n                                            \xe2\x96\xa0\xe2\x96\xa0\xe2\x80\x82 Other Investigations\n\n\n\n\n                                                              S e m i a n n u a l r e p o r t t o c o n g r e ss   47\n\x0c     Table C-5 : Investigations Productivity Summary\n\n         Arrests\t                                                    0\n\n         Total Presentations to Prosecuting Authorities\t             7\n\n         Criminal Acceptances\t                                       0\n\n         Criminal Declinations\t                                      7\n\n         Indictments\t                                                0\n\n         Convictions\t                                                0\n\n         Guilty Pleas\t                                               0\n\n         Probation (months)\t                                         0\n\n         Jail Time (days)\t                                           0\n\n         Restitutions\t                                               0\n\n         Civil Acceptances\t                                          0\n\n         Civil Demand Letters\t                                       0\n\n         Civil Declinations\t                                         0\n\n         Amounts Recovered Through Investigative Efforts\t            0\n\n         Total Agency Cost Savings Through Investigative Efforts\t    0\n\n         Total Administrative Referrals\t                            15\n\n         Contractor Debarments (Referral)\t                           1\n\n         Contractor Suspensions\t                                     0\n\n         Contractor Other Actions\t                                   0\n\n         Employee Suspensions (1 Proposed)\t                          2\n\n         Employee Terminations (Proposed)\t                           1\n\n         Employee Other Actions (resignations)\t                      3\n\n         Other Law Enforcement Agency Referrals\t                     4\n\n         Inspector General Subpoenas\t                               12\n\n\n\n\n48   Off i c e o f I n s p e c t o r G e n e r a l\n\x0c\x0c     U.S. Government Printing Office\n       Office of Inspector General\n732 North Capitol Street, NW, Washington, D.C. 20401\n          202.512.0039 \xe2\x80\xa2 www.gpo.gov/oig\nOIG Hotline 1.800.743.7574 \xe2\x80\xa2 gpoighotline@gpo.gov\n\x0c'